Lucene search
Pabl00nicarresH1:863221HistoryApr 30, 2020 - 1:38 p.m.
Concrete CMS: SSRF bypass
2020-04-3013:38:41
pabl00nicarres
hackerone.com
25
0.002 Low
EPSS
Percentile
58.7%
This simply describes a bypass for report at https://hackerone.com/reports/243865, using a decimal notation encoded IP address (0177.0.0.1
) currently bypasses the limitations in place for localhost.
crayons (re-submitting report including “magic” string)
Concrete5 version used is 8.5.2
Impact
Interacting with local services, impact may vary depending on services actually exposed.
Related
cvelist
cvelist
CVE-2021-22958
2021-10-07 13:35:02
osv
osv
Server-Side Request Forgery vulnerability in concrete5
2021-10-12 18:41:59
cnvd
cnvd
Portlandlabs Concrete5 server-side request forgery vulnerability
2021-10-10 00:00:00
prion
prion
Server side request forgery (ssrf)
2021-10-07 14:15:00
github
github
Server-Side Request Forgery vulnerability in concrete5
2021-10-12 18:41:59
veracode
veracode
Server-side Request Forgery (SSRF)
2021-10-08 06:19:52
cve
cve
CVE-2021-22958
2021-10-07 14:15:08
nvd
nvd
CVE-2021-22958
2021-10-07 14:15:08
openvas
openvas
Concrete CMS < 8.5.5 Multiple Vulnerabilities
2021-03-29 00:00:00