| タイトル | bufanyun HotGo <= v2.0 Server-Side Request Forgery |
|---|
| 説明 | A Server-Side Request Forgery (SSRF) vulnerability exists in HotGo ≤ v2.0 at the /admin/upload/imageTransferStorage endpoint, where user-controlled URLs are directly used to initiate HTTP requests without validation or restriction on the target destination. As a result, authenticated attackers can pass in URLs pointing to internal resources to probe internal network services, access metadata endpoints, bypass firewall restrictions, perform port scanning of internal infrastructure, and potentially exfiltrate sensitive data from services that should not be externally accessible. Mitigations include implementing strict URL validation with allowlists of permitted domains and protocols, blocking requests to private IP ranges, using a dedicated egress proxy with filtering capabilities, implementing network segmentation to isolate the application server from sensitive internal services, and conducting thorough security reviews of all external request functionality. |
|---|
| ソース | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/hotgo/vulnerability-1 |
|---|
| ユーザー | Anonymous User |
|---|
| 送信 | 2026年02月22日 16:54 (2 月 ago) |
|---|
| モデレーション | 2026年03月06日 22:32 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 349585 [bufanyun HotGo 迄 2.0 Endpoint upload.go ImageTransferStorage 特権昇格] |
|---|
| ポイント | 20 |
|---|