CVE-2024-13195
Published: 09 January 2025
Description
A vulnerability was found in donglight bookstore电商书城系统说明 1.0.0. It has been classified as critical. This affects the function getHtml of the file src/main/java/org/zdd/bookstore/rawl/HttpUtil.java. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2024-13195 is a server-side request forgery (SSRF) vulnerability, classified as critical, in the donglight bookstore e-commerce book city system version 1.0.0. The flaw affects the getHtml function in the file src/main/java/org/zdd/bookstore/rawl/HttpUtil.java, where manipulation of the url argument triggers the SSRF. It is remotely exploitable and associated with CWE-918, with a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation enables SSRF, potentially allowing the attacker to make unauthorized requests from the server, resulting in low impacts to confidentiality, integrity, and availability.
Advisories are available via the project's GitHub issues at https://github.com/donglight/bookstore/issues/11 and VulDB entries including https://vuldb.com/?id.290787. The exploit has been publicly disclosed and may be used.
The vulnerability was published on 2025-01-09.
Details
- CWE(s)