Incomplete fix for SSRF in CVE-2023-4651 in instantsoft/icms2
Sep 4th 2023
The fix (commit a6bf758de0b3242b0c0e4b47a588aae0c94305b0) for CVE-2023-4651 is not complete. Only ip based URLs are blocked.
Proof of Concept
Clone the latest repo and install.
On server, listen for 1234 on localhost.
Use http://localhost:1234/ as URL for image upload.
Observe a hit on port 1234.
Port scanning as in https://huntr.dev/bounties/beba9b98-2a5c-4629-987d-b67f47ba9437/
Other impact depending on internal service may also be possible.