Blind Server-Side Request Forgery (SSRF) in RSS feeds
Low
cedric-anne
published
GHSA-r57v-j88m-rwwfApr 5, 2023
Package
glpi
(glpi)
Affected versions
>= 0.84
Patched versions
9.5.13, 10.0.7
Description
Impact
Usage of RSS feeds is subject to SSRF exploit.
In case remote address is not a valid RSS feed, a RSS autodiscovery feature is triggered. This feature does not check safetiness or URLs.
Patches
Upgrade to 10.0.7.
For more information
If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org
Impact
Usage of RSS feeds is subject to SSRF exploit.
In case remote address is not a valid RSS feed, a RSS autodiscovery feature is triggered. This feature does not check safetiness or URLs.
Patches
Upgrade to 10.0.7.
For more information
If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org