1. Home
  2. CVE Database
  3. CVE-2019-13020
CRITICAL · 10.0

CVE-2019-13020

The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF. This has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to ...

Vulnerability Description

The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF. This has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to hijack the trust the user and the browser have with the website and could serve malicious content from a third-party attacker-controlled system. Second, arguably more severe, is the potential for an attacker to circumvent firewall controls, by proxying traffic, unauthenticated, into the internal network from the internet.

CVSS Score

10.0

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
TrmsTightrope Media Carousel< 7.1.3

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2019-13020?

CVE-2019-13020 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF. This has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to ...

How severe is CVE-2019-13020?

CVE-2019-13020 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-13020?

Check the references section above for vendor advisories and patch information. Affected products include: Trms Tightrope Media Carousel.