| Titel | magicblack MacCMSv10 v2025.1000.4050 SSRF |
|---|
| Beschreibung | When a scheduled task with file set to cj is executed, the col_url method in the Cj controller is called. This method uses the Collection utility to fetch content from a URL specified in the cjurl parameter of the scheduled task. There is no validation to prevent the use of internal or local URLs, allowing an attacker to make the server send requests to arbitrary internal services. |
|---|
| Quelle | ⚠️ https://github.com/August829/Yu/blob/main/58ead8e7e08bfb017.md |
|---|
| Benutzer | Yu Bao (UID 88956) |
|---|
| Einreichung | 02.09.2025 15:50 (vor 8 Monaten) |
|---|
| Moderieren | 13.09.2025 17:17 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 323830 [Magicblack MacCMS 2025.1000.4050 Scheduled Task col_url cjurl erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|