Description
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Published: 2026-03-19
Score: 5.3 Medium
EPSS: 12.9% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BMC FootPrints ITSM software versions 20.20.02 through 20.24.01.001 contain a blind server‑side request forgery vulnerability in the externalfeed/RSS API. The defect allows an authenticated attacker to trigger arbitrary outbound requests from the FootPrints server, enabling interaction with internal services or causing resource exhaustion that can impact availability. This weakness is identified as CWE‑918, i.e., Server‑Side Request Forgery.

Affected Systems

Affected vendors and products are BMC Software, Inc.:FootPrints. All FootPrints ITSM releases from 20.20.02 up to 20.24.01.001 are vulnerable. The vendor has released hotfixes for the same series, including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS is 13% and the vulnerability has not been catalogued in the CISA KEV list, indicating a moderate public exploitation probability. However, exploitation requires authenticated access to the system and can lead to internal network access or denial of service. The risk is significant for environments where FootPrints is exposed to users with the ability to invoke externalfeed/RSS, and the impact can extend to internal service availability.

Generated by OpenCVE AI on June 18, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided hotfix corresponding to your FootPrints ITSM version (e.g., 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01).
  • If a patch is not immediately available, disable the externalfeed/RSS functionality or restrict its use to trusted users to prevent the blind SSRF from being triggered.
  • Verify network segmentation to ensure FootPrints servers cannot reach critical internal services, mitigating potential internal disclosure or denial of service.

Generated by OpenCVE AI on June 18, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Bmc footprints Itsm
CPEs cpe:2.3:a:bmc:footprints_itsm:*:*:*:*:*:*:*:*
Vendors & Products Bmc footprints Itsm

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bmc
Bmc footprints
Vendors & Products Bmc
Bmc footprints

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Title BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM Blind SSRF in externalfeed/RSS BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in externalfeed/RSS

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
Title BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM Blind SSRF in externalfeed/RSS
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Bmc Footprints Footprints Itsm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:00.657Z

Reserved: 2026-03-02T15:04:45.927Z

Link: CVE-2025-71259

cve-icon Vulnrichment

Updated: 2026-03-19T14:45:39.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T14:16:13.380

Modified: 2026-06-17T10:03:57.950

Link: CVE-2025-71259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:30:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)