Home > Vulnerability Database > CVE-2023-46730

Mend.io Vulnerability Database

CVE-2023-46730

Date: November 7, 2023

Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: PHP

Severity Score

7.4

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46730

Url: https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50

Url: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv

Url: https://www.mend.io/vulnerability-database/CVE-2023-46730

Severity Score

7.4

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46730

Date: November 7, 2023

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?