Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14ODMyLXIycmotNGc1cM0t1w
SSRF in Kitodo.Presentation
An issue was discovered in the Kitodo.Presentation (aka dlf) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.
Permalink: https://github.com/advisories/GHSA-x832-r2rj-4g5pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14ODMyLXIycmotNGc1cM0t1w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 10 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-x832-r2rj-4g5p, CVE-2022-24980
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24980
- https://typo3.org/help/security-advisories
- https://typo3.org/security/advisory/typo3-ext-sa-2022-001
- https://github.com/kitodo/kitodo-presentation/commit/059be3f82b08c60cbb798986cd3ff22dbf60a5e4
- https://github.com/kitodo/kitodo-presentation/commit/4a20621afc30778ba3b045be5110353cf4fd4fd4
- https://github.com/kitodo/kitodo-presentation/commit/9700478b46445f562c3e2051d61565d779f59275
- https://security.snyk.io/vuln/SNYK-PHP-KITODOPRESENTATION-2407280
- https://github.com/advisories/GHSA-x832-r2rj-4g5p
Blast Radius: 9.0
Affected Packages
packagist:kitodo/presentation
Dependent packages: 4Dependent repositories: 16
Downloads: 1,575 total
Affected Version Ranges: >= 3.3.0, < 3.3.4, >= 3.0.0, < 3.2.3, < 2.3.2
Fixed in: 3.3.4, 3.2.3, 2.3.2
All affected versions: 2.3.0, 2.3.1, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
All unaffected versions: 2.3.2, 3.2.3, 3.3.4, 4.0.0, 4.0.1, 4.1.0