Beware! InfoDoc Document On-line Submission and Approval System Vulnerability Allows Attackers to Access Internal Files and Network

CVECVE-2023-37290
CVSScvssV3_1: 7.5
SourceCVE-2023-37290

InfoDoc Document On-line Submission and Approval System, a tool used for online document submission and approval, has a vulnerability that allows attackers to perform Server-Side Request Forgery (SSRF) attacks.

SSRF is a type of attack where an attacker can exploit a web application to access internal files and network resources that are normally not accessible from the public internet. In this case, the vulnerability exists in InfoDoc’s HTML to PDF conversion feature. By not sanitizing HTML tags properly, an attacker can use tags like iframe to load remote or local resources.

This allows an unauthenticated attacker with just a web browser to gain unauthorized access to files on the server like passwords, source code or internal IP addresses. They can even map out the entire internal network of the targeted organization.

If you use InfoDoc, make sure to update to the latest version immediately once a patch is available. In the meantime, use it carefully and avoid opening documents or links from untrusted sources. Also ensure your server is properly configured to prevent external access to internal files and resources.

Always keep your software updated to protect against vulnerabilities. And be extra cautious about opening documents or clicking links from unknown sources that could potentially exploit vulnerabilities in online tools. Your organization’s security is at risk.

References