← voltar
CVE-2025-54122

Manager-io/Manager allows unauthenticated full read server-side request forgery in "proxy" endpoint

CVSS 10 CRITICALEPSS 0.8%CWE-918
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 10EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
21 jul 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments. This vulnerability is fixed in version 25.7.21.2525.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
Manager-io · Manager

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/Manager-io/Manager/security/advisories/GHSA-347w-cgwh-m895