N/A

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.

N/A

N/A

MetInfo CMS 安全漏洞

MetInfo CMS是中国米拓（MetInfo）公司的一个内容管理系统。 MetInfo CMS 8.1及之前版本存在安全漏洞，该漏洞源于XML解析逻辑缺陷，可能导致服务器端请求伪造攻击。

N/A

N/A