4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-1971

GHSA ID

GHSA-qr7h-8pv2-xvx2

EPSS Score

0.1031%

CWE

CWE-918

Published

4/10/2023

Updated

2/13/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-1971

CVE-2023-1971: yuan1994 tpAdmin vulnerable to Server-Side Request Forgery

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in yuan1994 tpAdmin 1.3.12. Affected is the function remote of the file application\admin\controller\Upload.php. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225408. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-1971

GHSA ID

GHSA-qr7h-8pv2-xvx2

EPSS Score

0.1031%

CWE

CWE-918

Published

4/10/2023

Updated

2/13/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
yuan1994/tpadmin	composer	<= 1.3.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the remote function in Upload.php as the affected component, specifically highlighting manipulation of the 'url' parameter leads to SSRF. Multiple authoritative sources (CVE, GHSA, NVD) consistently reference this function and file path. The SSRF pattern matches typical cases where user-supplied URLs are fetched without proper validation of allowed domains or protocols.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

** UNSUPPORT** W**N *SSI*N** ** * vuln*r**ility, w*i** w*s *l*ssi*i** *s *riti**l, w*s *oun* in yu*n**** tp**min *.*.**. *****t** is t** *un*tion r*mot* o* t** *il* *ppli**tion\**min\*ontroll*r\Uplo**.p*p. T** m*nipul*tion o* t** *r*um*nt url l***s

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** r*mot* `*un*tion` in `Uplo**.p*p` *s t** *****t** *ompon*nt, sp**i*i**lly *i**li**tin* m*nipul*tion o* t** 'url' p*r*m*t*r l***s to SSR*. Multipl* *ut*orit*tiv* sour**s (*V*, **S*, NV*) *onsist*

4.9

Basic Information

Concerned about an active attack path?

CVE-2023-1971: yuan1994 tpAdmin vulnerable to Server-Side Request Forgery

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI