| タイトル | Deco deco-apps 0.114.12 - 0.120.1 Server-Side Request Forgery |
|---|
| 説明 | A Server-Side Request Forgery (SSRF) vulnerability exists in the analyticsScript.ts loader. The url parameter is not properly validated, allowing attackers to force the server to fetch arbitrary URLs, including file:// URIs. This enables Local File Disclosure (e.g., /etc/passwd, /etc/hosts, /proc/self/environ). With crafted payloads, attackers could also reach internal services (e.g., cloud metadata endpoints).
Impact:
Attacker is able to reach `file:///etc/hosts`, `file:///etc/passwd` and `file:///proc/self/environ` which leaks the entire environment variables.
PoC:
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 127.0.0.1' \
$'http://127.0.0.1/live/invoke/website/loaders/analyticsScript.ts?url=file:///etc/passwd'
Mitigation / Fix:
Apply the patch in commit https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 which validates and sanitizes the url parameter and restricts allowed schemes/hosts.
Fix version: 0.120.2 - latest
Fixed commit: https://github.com/deco-cx/apps/commit/8675c0b3d75a778198afdf6f35730eafd114ccd8 |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2025年11月09日 15:15 (7 月 ago) |
|---|
| モデレーション | 2025年11月30日 14:54 (21 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 333807 [deco-cx apps 迄 0.120.1 Parameter analyticsScript.ts AnalyticsScript url 特権昇格] |
|---|
| ポイント | 17 |
|---|