| Título | Deco deco-apps 0.114.12 - 0.120.1 Server-Side Request Forgery |
|---|
| Descripción | A Server-Side Request Forgery (SSRF) vulnerability exists in the analyticsScript.ts loader. The url parameter is not properly validated, allowing attackers to force the server to fetch arbitrary URLs, including file:// URIs. This enables Local File Disclosure (e.g., /etc/passwd, /etc/hosts, /proc/self/environ). With crafted payloads, attackers could also reach internal services (e.g., cloud metadata endpoints).
Impact:
Attacker is able to reach `file:///etc/hosts`, `file:///etc/passwd` and `file:///proc/self/environ` which leaks the entire environment variables.
PoC:
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 127.0.0.1' \
$'http://127.0.0.1/live/invoke/website/loaders/analyticsScript.ts?url=file:///etc/passwd'
Mitigation / Fix:
Apply the patch in commit https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 which validates and sanitizes the url parameter and restricts allowed schemes/hosts.
Fix version: 0.120.2 - latest
Fixed commit: https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 |
|---|
| Usuario | Anonymous User |
|---|
| Sumisión | 2025-11-09 15:15 (hace 7 meses) |
|---|
| Moderación | 2025-11-30 14:54 (21 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 333807 [deco-cx apps hasta 0.120.1 Parameter analyticsScript.ts AnalyticsScript url escalada de privilegios] |
|---|
| Puntos | 17 |
|---|