CVE-2024-0304

A vulnerability has been found in Youke365 up to 1.5.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/collect.php. The manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249871.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDBCNA
6.3 MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
youke365youke_365
1.5.0 ≤
𝑥
≤ 1.5.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://note.zhaoj.in/share/3jF3Xpl3ttlZ
https://vuldb.com/?ctiid.249871
https://vuldb.com/?id.249871
https://note.zhaoj.in/share/3jF3Xpl3ttlZ
https://vuldb.com/?ctiid.249871
https://vuldb.com/?id.249871