Webpage Thumbnail Generator doesn't verify URLs set explicitly with mesthumbnailurl property (MINDBREEZE33992)
ID: MINDBREEZE33992
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS
Severity: Critical
Status: Final
First published: January 28, 2025
CVEs: MINDBREEZE33992
Summary
WebPageThumbnailer thumbnail destination url can be overwritten via custom metadata which is not further validated and can lead to potential unintended local network access.
Hotfix Information
Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:
- Mindbreeze InSpire Release 24.8 Hotfix 1
- Mindbreeze InSpire Saas Release 24.8 Hotfix 1