CVE-2023-25262

Published: Mar 28, 2023Modified: Feb 19, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe Reporting Designer (Web) offers the possibility to embed sources from external locations. If the user chooses an external location, the request to that resource is performed by the server rather than the client. Therefore, the server causes outbound traffic and potentially imports data. An attacker may also leverage this behaviour to exfiltrate data of machines on the internal network of the server hosting the Stimulsoft Reporting Designer (Web).

Affected (2)

Products: Stimulsoft: Designer

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Stimulsoft Designer	Version 2023.1.3
Stimulsoft Designer	Version 2023.1.4

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

http://stimulsoft.com

Source: cve@mitre.org

Vendor Advisory

https://cloud-trustit.spp.at/s/HjEksN86SfsMaJM

Source: cve@mitre.org

Broken Link

https://cves.at/posts/cve-2023-25262/writeup/

Source: cve@mitre.org

ExploitThird Party Advisory

http://stimulsoft.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://cloud-trustit.spp.at/s/HjEksN86SfsMaJM

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://cves.at/posts/cve-2023-25262/writeup/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.