VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 3, 2024· Updated Aug 28, 2024

CVE-2021-27312

CVE-2021-27312

Description

Gleez CMS 1.2.0 contains an SSRF vulnerability in the request handling module, allowing remote attackers to execute arbitrary code and obtain sensitive information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gleez CMS 1.2.0 contains an SSRF vulnerability in the request handling module, allowing remote attackers to execute arbitrary code and obtain sensitive information.

Vulnerability

Overview

CVE-2021-27312 is a Server-Side Request Forgery (SSRF) vulnerability in Gleez CMS version 1.2.0, affecting the modules/gleez/classes/request.php file. The root cause is a configuration mismatch between the framework's core and the Gleez CMS custom request handler: the index.php file is based on Kohana 3.2 and does not enforce the $allow_external check, while the request.php module (based on Kohana 3.3) sets $allow_external = TRUE by default. This combination permits the application to make arbitrary external requests when the URL path contains :// [1][2][4].

Attack

Vector and Exploitation

An attacker can exploit this SSRF by crafting a URL containing a protocol prefix such as http:// or gopher:// within the path. For example, accessing https://gleezcms.org/http%3A%2F%2Fwww.google.com would trigger a server-side request to http://www.google.com. More critically, the cURL library supports the gopher protocol, which is known to be exploitable against internal services like PHP-FPM, Redis, and Memcached. Because the application does not validate or restrict outbound requests from the server, an attacker can probe internal networks and interact with these services [2][4].

Impact

Successful exploitation allows a remote unauthenticated attacker to perform SSRF attacks, potentially leading to remote code execution (RCE) if the attacker can reach exploitable internal services (e.g., PHP-FPM or Redis) via the gopher protocol. Additionally, sensitive information about the internal network and services may be disclosed through the server's responses [1][2][4].

Mitigation

Status

As of the publication of this CVE, no official patch has been released for Gleez CMS 1.2.0. Administrators are advised to apply the fix manually by ensuring that $allow_external is set to FALSE in the application's request handling code, aligning the behavior with Kohana 3.3's security checks. The vulnerability is publicly documented with proof-of-concept examples, and the affected code is present in the public GitHub repository [2][3][4].

References
  1. NVD - CVE-2021-27312
  2. CVE-2021-27312.md
  3. GitHub - gleez/cms: GleezCMS - A Light, Simple, Flexible Content Management System
  4. Server-side request forgery (SSRF) vulnerability

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gleez/cmsPackagist
<= 1.2.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.