CVE-2021-30108: 
PHP vulnerability analysis and mitigation

Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. When a user modifies the HTTP Referer header to any URL, the server will make a request to that URL. This vulnerability was discovered and reported in April 2021 (GitHub Issue).

The vulnerability exists in the login functionality of Feehi CMS. The attack can be executed by sending two specific requests: first, a GET request to the login page with a modified HTTP Referer header pointing to an arbitrary URL, followed by a POST request with login credentials. When the second request is processed, the application performs a 302 redirect to the URL specified in the Referer header of the first request. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) (NVD).

This SSRF vulnerability could allow attackers to make server-side requests to arbitrary URLs, potentially enabling them to scan internal networks, access internal services, or retrieve sensitive information from the server. The vulnerability could also be exploited to bypass network security controls since the requests originate from the vulnerable server (GitHub Issue).

The recommended fix is to implement proper SSRF prevention measures as outlined in the OWASP Server Side Request Forgery Prevention Cheat Sheet. This includes validating and sanitizing URLs, implementing whitelisting for allowed domains, and restricting access to internal networks (GitHub Issue).