CVE-2023-46730
CVSS V2 None
CVSS V3 None
Description
Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2023-46730
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-11-07T17:35:36.332Z
- Last Modified Date
- 2023-11-07T17:35:36.332Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-46730 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46730 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-24 22:59:35 | Added to TrackCVE |