| عنوان | Guangzhou Qibo Network Technology Co., Ltd. Qibo CMS (x1_of_cms) X1.0 SSRF |
|---|
| الوصف | The /index/image/headers interface of Qibo CMS (x1_of_cms) has a defect of insufficient input validation and access control. When the backend system processes the url parameter passed in by the user, it only verifies whether the parameter starts with http or https, without filtering internal network addresses, cloud service metadata addresses and other sensitive intranet targets. Attackers can construct malicious request parameters to use the target server as a proxy, send HTTP requests to the internal metadata server of Alibaba Cloud (x.x.x.x), and illegally read the metadata and user-defined data of the ECS instance, resulting in the leakage of cloud environment network topology, account ID, high-privilege initialization scripts and other core sensitive information. |
|---|
| المصدر | ⚠️ https://tcn60zf28jhk.feishu.cn/wiki/VYIcwwH4uiWZMgkX0SecopTgnQd?from=from_copylink |
|---|
| المستخدم | EthX0_ (UID 96627) |
|---|
| ارسال | 31/03/2026 11:01 AM (21 أيام منذ) |
|---|
| الاعتدال | 20/04/2026 07:41 AM (20 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358283 [Qibo CMS 1.0 /index/image/headers starts تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|