-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-035 Product: URVE Web Manager Manufacturer: Eveo Affected Version(s): 27.02.2025 Tested Version(s): 27.02.2025 Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2025-04-09 Solution Date: 2025-06-02 Public Disclosure: 2025-07-17 CVE Reference: CVE-2025-36845 Author of Advisory: Stefan Krause, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The URVE Web Manager is the administrative web application for the URVE Smart Office suite by Eveo. This suite includes tools like a room booking and a desk sharing application. The manufacturer describes the Smart Office product as follows (see [1]): "Smart Office is a system of modern applications and user interfaces that support office management, hybrid work model and teamwork." Due to the exposure of back-end endpoints to unauthenticated users, the application is vulnerable to server-side request forgery (SSRF). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The endpoint /_internal/redirect.php allows for SSRF. The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This can be used to request endpoints only reachable by the application server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP GET request illustrates an SSRF attack by using the endpoint /_internal/redirect.php: GET /_internal/redirect.php?url=http%3a/// HTTP/1.1 Host: : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Block all endpoints at /_internal/ from external requests. Update to latest version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-04-01: Vulnerability discovered 2025-04-09: Vulnerability reported to manufacturer 2025-06-02: Patch released by manufacturer 2025-07-17: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for URVE Smart Office https://smartoffice.expert/en/ [2] SySS Security Advisory SYSS-2025-035 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Krause of SySS GmbH. E-Mail: stefan.krause@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Krause.asc Key ID: 0x2B2BA6FDD6E172F3 PGP-Fingerprint: 88C8 13B9 FA6A 2FE6 B6D8 7226 2B2B A6FD D6E1 72F3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEiMgTufpqL+a22HImKyum/dbhcvMFAmh3m8wACgkQKyum/dbh cvPXFhAAkLVJsT+e9BOJ8+YgM1/U3AhEdprY4uAjs6YleXD1vXPV0IdL/XZGaQP0 AA0Li01xtjPmtrYzIpmT4CyVQqBcnE/NzUMo2zexWvXTcEjdVeeF96gxP57pM6Zu k6s4Mvrp30JkiEcrqTzH5HLDEAtnX1cW72vO9Qjvt1PMcLRFfyxKvBHgSi5NMlkp e7IljBT3VWcnnP7Uws5I4B5Wale47UbSjXtYORkbXpSlwVnHc1xTRmGZIb4/Y+MA NPNXqA0XRhoWrF+Gx8VtywZohd9QLdKqNEHiskj6A3Nr4H+2P7HGFJEWlklnQWy0 qfkHduUXP+HF65gPM2HmcMVcsoWq1ipt4gm/TOYtWAyPQw4B/izRQpk05gpNBVo4 gpmZjW6V0j7qozk7CkOeV/XKAXceHzWpszSfFCW48X5QjwVIJHzY5FbS1GPG+yPU w5yDUXpC8MDc+GYbUjp2RyR0b1IIgnOdeGkcSkWLR1C0YudU908yTWG0C7OzcvEv bEwxlOlkZutSw1qpG6zroSYyAdC/q74oQNs3gBSDJ+ZFhDLIiAZLvIaGhtKW7iDa eP5JEKU1JjBZ8dW+I7axRDkzlhdoRx/8vWu0WTkyA05VFq2xSaipxBhFeoMbfosX c4Ur+pFgf0ziEVTRZ44/b095lMUonZ6TSmjqT4DYqtzlQge/OVY= =e9SA -----END PGP SIGNATURE-----