GHSA-mmj8-wcvw-6789

### Summary The administrative proxy route (`cmsproxy`) in Aimeos Pagible CMS is vulnerable to a Server-Side Request Forgery (SSRF) attack via DNS Rebinding. A Time-of-Check to Time-of-Use (TOCTOU) race condition exists between the URL validation phase and the actual HTTP request phase, allowing attackers to access internal network resources and cloud metadata endpoints.

### Details Before executing an HTTP request to fetch external content, the `AdminController::proxy` controller validates the target URL using `\Aimeos\Cms\Utils::isValidUrl($url)`. This function performs a DNS query to verify that the hostname does not resolve to private or reserved IP ranges (e.g., `127.0.0.1`, `10.0.0.0/8`, `169.254.169.254`).

If the validation passes, the application proceeds to the "Use" phase, invoking Guzzle/cURL to send the request. However, Guzzle performs a *second* DNS lookup to establish the socket connection.

An attacker can exploit this by setting up a malicious DNS server for a domain they control and configuring it with a TTL of 0. 1. During the validation "Check", the DNS server returns a safe, public IP. 2. During the Guzzle "Use", the DNS server returns an internal/private IP.

### POC 1. Attacker registers `rebound.test.com with a custom nameserver. 2. Attacker generates a valid proxy token (assuming basic authenticated access). 3. Attacker requests `/cmsproxy?url=http://rebound.test.com`. 4. `isValidUrl` checks `rebound.test.com`. DNS returns `8.8.8.8`. Validation passes. 5. Guzzle requests `http://rebound.test.com`. DNS returns `169.254.169.254`. 6. The CMS fetches AWS Instance Metadata and returns it to the attacker.