Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FoodCoopShop Server-Side Request Forgery vulnerability
Vulnerability Description
FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
foodcoopshop 代码问题漏洞
Vulnerability Description
foodcoopshop是foodcoopshop开源的一款用于食品合作社和商店的开源软件。 foodcoopshop 3.6.1之前版本存在代码问题漏洞,该漏洞源于容易受到服务器端请求伪造攻击。
CVSS Information
N/A
Vulnerability Type
N/A