Webpage Thumbnail Generator doesn't verify URLs set explicitly with mesthumbnailurl property (MINDBREEZE33992)

ID: MINDBREEZE33992 
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS  
Severity: Critical 
Status: Final 
First published: January 28, 2025 
CVEs: MINDBREEZE33992 

Summary

WebPageThumbnailer thumbnail destination url can be overwritten via custom metadata which is not further validated and can lead to potential unintended local network access.

 

Hotfix Information 

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

  • Mindbreeze InSpire Release 24.8 Hotfix 1
  • Mindbreeze InSpire Saas Release 24.8 Hotfix 1