CVE-2025-61768
BaseFortify
Publication date: 2025-10-06
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xuemian168 | kuno | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in the Media module of the KUNO CMS administrative panel in versions prior to 1.3.15. A logged-in administrator can upload a specially crafted SVG file that contains an external image reference. When processed, the server makes an outgoing connection to an arbitrary external URL specified in the SVG, which it should not normally do.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure or internal network probing by allowing the server to connect to arbitrary external URLs. This could expose sensitive internal network information or data to an attacker.
What immediate steps should I take to mitigate this vulnerability?
Upgrade KUNO CMS to version 1.3.15 or later, which contains a fix for the SSRF vulnerability in the Media module. Additionally, restrict administrator access to trusted users only and monitor for any unusual outgoing connections from the server.