CVE-2017-16614

CRITICAL

tpshop 2.0.5-2.0.6 - Server-Side Request Forgery via WxPay.tedatac.php fBill Parameter

Title source: llm
STIX 2.1

Description

SSRF (Server Side Request Forgery) in tpshop 2.0.5 and 2.0.6 allows remote attackers to obtain sensitive information, attack intranet hosts, or possibly trigger remote command execution via the plugins/payment/weixin/lib/WxPay.tedatac.php fBill parameter.

References (1)

Core 1
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Mar/77

Scores

CVSS v3 9.8
EPSS 0.0300
EPSS Percentile 85.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-918
Status published
Products (2)
tp-shop/tpshop 2.0.5
tp-shop/tpshop 2.0.6
Published Mar 30, 2018
Tracked Since Feb 18, 2026