CVE-2023-46236— FOG SSRF via unauthenticated endpoint(s)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-46236
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FOG SSRF via unauthenticated endpoint(s)
Source: NVD (National Vulnerability Database)
Vulnerability Description
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, a server-side-request-forgery (SSRF) vulnerability allowed an unauthenticated user to trigger a GET request as the server to an arbitrary endpoint and URL scheme. This also allows remote access to files visible to the Apache user group. Other impacts vary based on server configuration. Version 1.5.10 contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
FOGProject 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FOGProject是一个免费的开源网络计算机克隆和管理解决方案。可用于部署和管理任何桌面操作系统。 FOGProject 1.5.10之前版本存在代码问题漏洞,该漏洞源于允许未经身份验证的用户对服务器任意端点和 URL 进行 GET 请求,攻击者利用该漏洞可以发现 Apache 用户组的文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| FOGProject | fogproject | < 1.5.10 | - |
II. Public POCs for CVE-2023-46236
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-46236
请登录查看更多情报信息。
Same Patch Batch · FOGProject · 2023-10-31 · 3 CVEs total
| CVE-2023-46237 | 5.8 MEDIUM | FOG path traversal via unauthenticated endpoint |
| CVE-2023-46235 | 5.4 MEDIUM | FOG stored XSS on log screen via unsanitized request logging |
IV. Related Vulnerabilities
Same product: fogproject
- CVE-2026-33739
FOG has Stored XSS in Multiple Management Pages - CVE-2026-24138
FOG vulnerable to unauthenticated SSRF via `/fog/service/get - CVE-2025-58443
FOG's authentication bypass leads to full SQL DB dump - CVE-2024-42349
FOG has a Log Information Disclosure - CVE-2024-42348
FOG leaks sensitive information (AD domain, username and pas
Same vendor: FOGProject
- CVE-2026-33739
FOG has Stored XSS in Multiple Management Pages - CVE-2026-24138
FOG vulnerable to unauthenticated SSRF via `/fog/service/get - CVE-2025-58443
FOG's authentication bypass leads to full SQL DB dump - CVE-2024-42349
FOG has a Log Information Disclosure - CVE-2024-42348
FOG leaks sensitive information (AD domain, username and pas
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2023-46236
No comments yet