← back
CVE-2021-47958

CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload

CVSS 5.3 MEDIUMEPSS 0.2%CWE-918
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Affected products
CouchCMS · CouchCMS
public PoCs found1
cve_referencewww.exploit-db.com/exploits/49675unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/CouchCMS/CouchCMShttps://www.exploit-db.com/exploits/49675https://www.vulncheck.com/advisories/couchcms-server-side-request-forgery-via-svg-upload