Plateforme
php
Composant
fogproject
Corrigé dans
1.5.11
CVE-2026-24138 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in FOGProject, a free open-source cloning/imaging/rescue suite. This vulnerability allows an unauthenticated attacker to potentially access internal resources and files on the server running FOG. The vulnerability affects versions of FOGProject up to 1.5.10.1754, and a fix is available in version 1.5.11.
The SSRF vulnerability in FOGProject's getversion.php allows an attacker to craft a malicious URL parameter that triggers the server to make requests to arbitrary internal or external resources. Because the vulnerability is unauthenticated, an attacker does not need valid credentials to exploit it. This could lead to the exposure of sensitive internal data, such as configuration files, database credentials, or even access to other internal services. The newService=1 parameter appears to be a key component in triggering the vulnerability, bypassing authentication checks. Successful exploitation could allow an attacker to map the internal network and identify other potential targets for further attacks.
CVE-2026-24138 was publicly disclosed on 2026-01-23. There is no indication of active exploitation at this time, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The relatively recent disclosure suggests a low to medium probability of exploitation, but continuous monitoring is recommended.
Organizations utilizing FOGProject for imaging, cloning, and inventory management are at risk, particularly those running versions prior to 1.5.11. Shared hosting environments where FOGProject is deployed could be especially vulnerable, as an attacker gaining access to one instance could potentially exploit the SSRF vulnerability to access other hosted resources.
• linux / server:
journalctl -u fogproject | grep -i "getversion.php"• generic web:
curl -I http://<fogproject_server>/getversion.php?newService=1&url=<arbitrary_url>Check the response headers for unexpected redirects or connections to internal resources.
• php:
Review the getversion.php file for any modifications or suspicious code related to URL handling.
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-24138 is to upgrade FOGProject to version 1.5.11 or later, which contains the fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests to getversion.php with suspicious URL parameters, specifically those containing user-controlled URLs. Additionally, restrict network access to the FOGProject server to only necessary IP addresses and ports. Monitor FOGProject logs for unusual outbound requests originating from getversion.php. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Mettez à jour FOG vers une version ultérieure à 1.5.10.1754 dès qu'elle sera disponible. Étant donné qu'il n'y a pas de version fixe au moment de la publication, surveillez le projet FOG pour obtenir des mises à jour de sécurité et appliquez-les dès que possible. Envisagez de mettre en œuvre des mesures d'atténuation temporaires, telles que la restriction de l'accès à `/fog/service/getversion.php` si possible, jusqu'à ce qu'une version corrigée soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-24138 is a Server-Side Request Forgery (SSRF) vulnerability affecting FOGProject versions up to 1.5.10.1754, allowing unauthenticated access to internal resources.
You are affected if you are running FOGProject version 1.5.10.1754 or earlier. Upgrade to version 1.5.11 or later to mitigate the risk.
Upgrade FOGProject to version 1.5.11 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to getversion.php.
There is currently no evidence of active exploitation, but continuous monitoring is recommended.
Refer to the FOGProject website and security advisories for the latest information: [https://fogproject.org/](https://fogproject.org/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.