Home > Vulnerability Database > CVE-2022-24980

Mend.io Vulnerability Database

CVE-2022-24980

Good to know:

Date: February 18, 2022

An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.

Language: PHP

Severity Score

7.5

Related Resources (7)

Url: https://github.com/kitodo/kitodo-presentation/commit/4a20621afc30778ba3b045be5110353cf4fd4fd4

Url: https://github.com/kitodo/kitodo-presentation/commit/9700478b46445f562c3e2051d61565d779f59275

Url: https://typo3.org/help/security-advisories

Url: https://github.com/kitodo/kitodo-presentation/commit/059be3f82b08c60cbb798986cd3ff22dbf60a5e4

Url: https://typo3.org/security/advisory/typo3-ext-sa-2022-001

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-24980

Url: https://www.mend.io/vulnerability-database/CVE-2022-24980

Severity Score

7.5

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version v3.2.3,v3.3.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-24980

Good to know:

Date: February 18, 2022

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?