Server-side Request Forgery (SSRF)

Affecting yoast-seo-for-typo3/yoast_seo package, versions <7.2.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

yoast-seo-for-typo3/yoast_seo is a Yoast SEO for TYPO3.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). The extension fails to restrict analyzed URLs to domains managed by the current TYPO3 website. A logged in TYPO3 backend user can make HTTP requests to arbitrary domains including the web-server itself or other internally managed resources.

Remediation

Upgrade yoast-seo-for-typo3/yoast_seo to version 7.2.1 or higher.

References

CVSS Score

5.0
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C
Credit
Andrey Basarygin, Andrey Guzei, Mikhail Khramenkov, Alexander Siduko, Maxim Teplykh
CVE
CVE-2021-31779
CWE
CWE-918
Snyk ID
SNYK-PHP-YOASTSEOFORTYPO3YOASTSEO-1277196
Disclosed
28 Apr, 2021
Published
28 Apr, 2021