Server-Side Request Forgery in SLiMS

Posted date 19/09/2023
5 - Critical
Affected Resources

SLiMS, 9.6.0 version


INCIBE has coordinated the publication of 1 vulnerability in SLiMS (Senayan Library Management System), a library management system, who has been discovered by David Utón Amaya (m3n0sd0n4ld).

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-3744: CVSS v3.1: 9,9 | CVSS: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | CWE-918.

The vulnerability has been fixed in the latest version of SLiMS.


CVE-2023-3744: Server-Side Request Forgery vulnerability in SLims version 9.6.0. This vulnerability could allow an authenticated attacker to send requests to internal services or upload the contents of relevant files via the "scrape_image.php" file in the imageURL parameter.