Vasion Print Server-Side Request Forgery Vulnerability via Unauthenticated HP Badge Setup Script

A server-side request forgery (SSRF) vulnerability has been identified in Vasion Print Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413, specifically in VA/SaaS deployments. The vulnerability resides in the '/var/www/app/console_release/hp/badgeSetup.php' script, which is accessible from the Internet without authentication. This script constructs URLs from user-controlled parameters and sends requests using either a custom 'processCurl()' function or PHP's 'file_get_contents()'. The vulnerability allows unauthenticated attackers to make arbitrary HTTP requests to internal resources, potentially leading to internal network reconnaissance, credential leakage, unauthorized access, and data exfiltration.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to internal resources, which could be used for network reconnaissance, credential theft, unauthorized access, and data exfiltration.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 25.1.102 and Application version 25.1.1413. For the Virtual Appliance, reference the 'Application Update' topic for instructions on updating.