VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 25, 2020· Updated May 8, 2025

Cellopoint CelloOS - Server-Side Request Forgery (SSRF)

CVE-2020-17386

Description

Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cellopoint CelloOS v4.1.10 Build 20190922 has improper URL validation allowing authenticated attackers to read arbitrary files via manipulated URL parameter.

Vulnerability

Cellopoint CelloOS v4.1.10 Build 20190922 fails to properly validate URL input parameters. This allows an attacker with a valid authenticated user's cookie to manipulate the URL parameter and access arbitrary files on the system. The vulnerability affects CelloOS version v4.1.10 Build 20190922 [1].

Exploitation

An attacker must first obtain the cookie of an authenticated user, possibly through phishing or session hijacking. With the cookie, the attacker can send a crafted request with a modified URL parameter to the Cellopoint server, which will then retrieve the specified file from the filesystem without further authorization [1].

Impact

Successful exploitation leads to unauthorized reading of arbitrary system files, resulting in high confidentiality impact. No integrity or availability impact is described. The CVSS score is 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [1].

Mitigation

Cellopoint released CelloOS version v4.1.12 Build 20200701 which fixes the vulnerability. All users should update to this version immediately [1].

References
  1. Cellopoint CelloOS - Server-Side Request Forgery (SSRF)

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Cellopoint/CelloOSllm-fuzzy2 versions
    = 4.1.10 Build 20190922+ 1 more
    • (no CPE)range: = 4.1.10 Build 20190922
    • (no CPE)range: 0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.