OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-03-11T19:38:26.088Z
Updated: 2024-08-02T00:48:49.441Z
Reserved: 2024-03-06T17:35:00.860Z
Link: CVE-2024-28198
Vulnrichment
Updated: 2024-05-23T19:01:16.943Z
NVD
Status : Awaiting Analysis
Published: 2024-03-11T20:15:07.643
Modified: 2024-11-21T09:06:00.677
Link: CVE-2024-28198
Redhat
No data.