Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Server-Side Request Forgery in SLiMS

Posted date 19/09/2023
Identificador

INCIBE-2023-0398

Importance
5 - Critical
Affected Resources

SLiMS, 9.6.0 version

Description

INCIBE has coordinated the publication of 1 vulnerability in SLiMS (Senayan Library Management System), a library management system, who has been discovered by David Utón Amaya (m3n0sd0n4ld).

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-3744: CVSS v3.1: 9,9 | CVSS: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | CWE-918.
Solution

The vulnerability has been fixed in the latest version of SLiMS.

Detail

CVE-2023-3744: Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant files via the "scrape_image.php" file in the imageURL parameter.

References list
Product web - SLiMS
Github Issue
Etiquetas