CVE-2021-39497
CRITICALEyouCMS 1.5.4 - Blind Server-Side Request Forgery via saveRemote Function
Title source: manualDescription
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/eyoucms/eyoucms/releases/tag/v1.5.4
Broken Link x_refsource_misc
http://hptcybersec.com/ssrf_PoC.jpg
Exploit, Third Party Advisory x_refsource_misc
https://github.com/KietNA-HPT/CVE
Scores
CVSS v3
9.8
EPSS
0.0228
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-918
Status
published
Products (1)
eyoucms/eyoucms
1.5.4
Published
Sep 07, 2021
Tracked Since
Feb 18, 2026