CVE-2022-24980

EPSS 0.86%
Veröffentlicht 19.02.2022 04:15:07
Zuletzt bearbeitet 21.11.2024 06:51:29
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kitodo ≫ Kitodo.Presentation SwPlatformtypo3 Version < 2.3.2

Kitodo ≫ Kitodo.Presentation SwPlatformtypo3 Version >= 3.0.0 < 3.2.3

Kitodo ≫ Kitodo.Presentation SwPlatformtypo3 Version >= 3.3.0 < 3.3.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.86%	0.737

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://typo3.org/help/security-advisories

Vendor Advisory

https://typo3.org/security/advisory/typo3-ext-sa-2022-001

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-24980

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24980

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24980

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-24980