| عنوان | akaunting 3.1.21 Server-Side Request Forgery |
|---|
| الوصف | SSRF in Invoice PDF Rendering via Unsanitized Notes HTML + Dompdf Remote Fetch Enabled
Product: Akaunting 3.1.21
Vulnerability Type: Server-Side Request Forgery (SSRF)
The invoice PDF generation process in Akaunting renders user-controlled Notes field as raw, unsanitized HTML and passes it directly to Dompdf. Because remote URL fetching is enabled by default in Dompdf (enable_remote => true), an authenticated user with permission to create or edit invoices can inject arbitrary external resource tags (e.g., <img src="http://attacker-controlled-url">, <link>, <script>, etc.).
When the PDF is generated, the server makes an outbound HTTP request to the attacker-specified URL. This allows full Server-Side Request Forgery (SSRF), enabling the attacker to:
Probe internal network services (internal IP addresses, Docker containers, cloud metadata endpoints, etc.).
Access sensitive internal resources that are not reachable from the internet.
Potentially chain the SSRF with other vulnerabilities (e.g., local file read via file:// if allowed, or further exploitation of internal services). |
|---|
| المصدر | ⚠️ https://drive.google.com/file/d/1zC8gMYeIfZi3CsK6RXBQINU_mllXH_6n/view?usp=drive_link |
|---|
| المستخدم | hai271120 (UID 96497) |
|---|
| ارسال | 09/04/2026 02:17 PM (2 أشهر منذ) |
|---|
| الاعتدال | 08/05/2026 09:54 PM (29 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 362345 [Akaunting 3.1.21 Invoice PDF Rendering config/dompdf.php تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|