A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in VuFind® 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel. From version 9.1 it is possible to achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind®, and is recommended to be disabled by setting autoConfigure to false in config.ini.

Upgrade to VuFind® 9.1.1, or ensure that autoConfigure is set to false in config.ini (which is always a best practice anyway).

Thanks to rob (@b7c on GitHub) for identifying and responsibly reporting this vulnerability.