CVE-2023-46725
Summary
A critical server-side request forgery (SSRF) vulnerability exists in FoodCoopShop versions prior to 3.6.1. This flaw allows a manufacturer account to exploit the `/api/updateProducts.json` endpoint to make the server request arbitrary hosts, potentially acting as a proxy into internal networks. The vulnerability is patched in version 3.6.1.
IFF Assessment
The SSRF vulnerability allows attackers to use the vulnerable server as a proxy, potentially enabling them to access internal network resources and exfiltrate data.
Severity
Defender Context
This SSRF vulnerability in FoodCoopShop is a significant risk, allowing attackers to pivot into internal networks. Defenders should prioritize patching FoodCoopShop to version 3.6.1 or later and monitor network traffic for unusual requests originating from the FoodCoopShop server, especially to internal IP addresses or unusual external destinations.