Vulnerabilities > CVE-2017-1000237 - Server-Side Request Forgery (SSRF) vulnerability in I-Librarian I Librarian

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

i-librarian

CWE-918

critical

NVD

Published: 2017-11-17

Updated: 2017-11-29

Summary

I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user's password.

Vulnerable Configurations

Part	Description	Count
Application	I-Librarian I Librarian I Librarian 3.0 I Librarian I Librarian 3.1 I Librarian I Librarian 3.2 I Librarian I Librarian 3.2.1 I Librarian I Librarian 3.3 I Librarian I Librarian 3.4 I Librarian I Librarian 3.4.1 I Librarian I Librarian 3.5 I Librarian I Librarian 4.0 I Librarian I Librarian 4.1 I Librarian I Librarian 4.2 I Librarian I Librarian 4.3 I Librarian I Librarian 4.4 I Librarian I Librarian 4.5 I Librarian I Librarian 4.6 I Librarian I Librarian 4.7	16

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170509-0_I_Librarian_Multiple_vulnerabilities_v10.txt