-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is an SSRF in the webhooks functionality. The provided commit patch modifies the sendRequest method in WebhookMessageHandler.php. This method is responsible for constructing and sending the HTTP request for a webhook. The patch adds a context parameter to the requestFactory->request() call, which is used to apply the new host allowlist filtering. This directly implies that sendRequest is the function that processes the user-controlled target URL and initiates the potentially vulnerable outbound request. Therefore, it would be present in a runtime profile when the SSRF is triggered.
The requestFactory->request() method is also involved, but it's a more generic HTTP client method. The sendRequest function is specific to the webhooks feature and is the direct consumer of the user-supplied webhook configuration, making it the most relevant vulnerable function in the context of this SSRF vulnerability within the webhooks module. The patch is applied within this function to mitigate the SSRF by enabling host filtering for webhook requests specifically.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms-webhooks | composer | >= 12.0.0, <= 12.4.30 | 12.4.31 |
| typo3/cms-webhooks | composer | >= 13.0.0, <= 13.4.11 | 13.4.12 |