Vulnerabilities > CVE-2021-24371 - Server-Side Request Forgery (SSRF) vulnerability in Carrcommunications Rsvpmaker

047910
CVSS 2.7 - LOW
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
carrcommunications
CWE-918

Summary

The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.

Vulnerable Configurations

Part Description Count
Application
Carrcommunications
369

Common Weakness Enumeration (CWE)