CVE-2021-46107 Scanner

Ligeo Archives Ligeo Basics is a comprehensive archival management software designed for organizing, preserving, and accessing digital archives. This platform is utilized by libraries, museums, and archival institutions to manage their collections digitally. It offers features for cataloging, search, and retrieval of documents, making it an essential tool for historians, researchers, and archivists. The software aims to simplify the archival process while ensuring the accessibility and preservation of historical documents and artifacts.

The vulnerability is present in the document download functionality, where an attacker can manipulate the file parameter to request internal files or interact with internal services. Specifically, the software does not adequately validate or sanitize the input for the file parameter in the download request, allowing for external URLs or file paths to be specified. This can lead to the disclosure of sensitive system files, such as /etc/passwd, or interaction with internal network services through crafted URLs.

Exploitation of this SSRF vulnerability can lead to significant security breaches, including unauthorized access to sensitive documents, data leaks, and potential internal network reconnaissance. Attackers could exploit this flaw to gain insights into internal systems, extract confidential information, or even perform actions on behalf of the server, posing a critical risk to the security and privacy of the archival data.

By leveraging the security scanning capabilities of securityforeveryone, users can detect and address vulnerabilities like SSRF in Ligeo Archives Ligeo Basics. Our platform provides in-depth vulnerability assessments, detailed reports, and practical remediation guidance, helping institutions protect their digital archives against cyber threats. Membership offers continuous monitoring, expert support, and the assurance that your digital assets are safeguarded against emerging vulnerabilities, enhancing your cybersecurity posture.

References

• https://raw.githubusercontent.com/Orange-Cyberdefense/CVE-repository/master/PoCs/POC_CVE-2021-46107.py
• https://nvd.nist.gov/vuln/detail/CVE-2021-46107
• https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/