go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center



Cellopoint CelloOS - Server-Side Request Forgery (SSRF)

TVN ID TVN-202006004
Public Date 2020-08-27
Affected Products CelloOS v4.1.10 Build 20190922
Description Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.
CVE ID CVE-2020-17386
Solution Update to v4.1.12 Build 20200701 or higher.
Credit Cyku Hong from DEVCORE (https://devco.re)