Miggo Logo
Miggo Vulnerability Database
CVE-2024-25737

CVE-2024-25737: VuFind Server-Side Request Forgery (SSRF) vulnerability

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-25737
GHSA ID
GHSA-fwhc-mm9q-mqq8
EPSS Score
0.43089%
CWE
CWE-79
Published
5/22/2024
Updated
11/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
vufind/vufindcomposer>= 2.4, < 9.1.19.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues in showAction: 1) It accepted arbitrary URLs via the 'proxy' parameter without proper host validation (SSRF), and 2) It allowed dangerous content types like SVG through a simple 'image/' prefix check (XSS). The patches added host validation (proxyAllowedForUrl) and strict content-type checking (isValidProxyImageContentType), confirming these were missing in vulnerable versions. The showAction is the entry point for these flawed proxy operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* S*rv*r-Si** R*qu*st *or**ry (SSR*) vuln*r**ility in t** /*ov*r/S*ow rout* (s*ow**tion in *ov*r*ontroll*r.p*p) in Op*n Li*r*ry *oun**tion Vu*in* *.* t*rou** *.* ***or* *.*.* *llows r*mot* *tt**k*rs to ****ss int*rn*l *TTP s*rv*rs *n* p*r*orm *ross-S

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s in s*ow**tion: *) It ****pt** *r*itr*ry URLs vi* t** 'proxy' p*r*m*t*r wit*out prop*r *ost v*li**tion (SSR*), *n* *) It *llow** **n**rous *ont*nt typ*s lik* SV* t*rou** * simpl* 'im***/' pr**ix ****k (XSS).