CVE-2021-24371

CVE-2021-24371: RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF

Vendor Unknown

Product RSVPMaker

Weakness CWE-918 · SSRF

Published August 2, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.

Key dates

02Disclosure timeline

August 2, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24371

Related vulnerabilities

04Related CVE

CVE-2022-41552 Server-Side Request Forgery Vulnerability in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer CVE-2022-1722 SSRF in editor's proxy via IPv6 link-local address in jgraph/drawio CVE-2024-43394 Apache HTTP Server: SSRF on Windows due to UNC paths CVE-2026-25545 Astro has Full-Read SSRF in error rendering via Host: header injection CVE-2025-62155 QuantumNous New API Has SSRF Bypass