漏洞标题
N/A
漏洞描述信息
在开放图书馆基金会VuFind 2.0到9.1(在9.1.1之前)的/Upgrade/FixConfig路由中存在服务器端请求伪造(SSRF)漏洞。这允许远程攻击者覆盖本地配置文件以获取管理员面板的访问权限并实现远程代码执行。一个缓解因素是,需要允许_url_include PHP运行时设置打开,而这在默认安装中是关闭的。此外,需要/Upgrade路由暴露,这是在安装VuFind后默认暴露的,并且建议通过在config.ini中设置autoConfigure为false来禁用此路由,以减轻风险。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
服务端请求伪造(SSRF)
漏洞标题
N/A
漏洞描述信息
A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Open Library Foundation VuFind 安全漏洞
漏洞描述信息
Open Library Foundation VuFind是Open Library Foundation基金会的一个开源的图书馆资源发现(Discovery)系统。 Open Library Foundation VuFind 2.0版本至9.1.1之前版本存在安全漏洞,该漏洞源于存在服务器端请求伪造(SSRF)漏洞,允许远程攻击者覆盖本地配置文件,从而实现远程代码执行。
CVSS信息
N/A
漏洞类别
其他