Advisories for Composer/Foodcoopshop/Foodcoopshop package

2023

Server-Side Request Forgery (SSRF)

FoodCoopShop is open source software for food coops and local shops. Versions prior to 3.6.1 is vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the /api/updateProducts.json endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image …