| 제목 | akaunting 3.1.21 Server-Side Request Forgery |
|---|
| 설명 | SSRF in Invoice PDF Rendering via Unsanitized Notes HTML + Dompdf Remote Fetch Enabled
Product: Akaunting 3.1.21
Vulnerability Type: Server-Side Request Forgery (SSRF)
The invoice PDF generation process in Akaunting renders user-controlled Notes field as raw, unsanitized HTML and passes it directly to Dompdf. Because remote URL fetching is enabled by default in Dompdf (enable_remote => true), an authenticated user with permission to create or edit invoices can inject arbitrary external resource tags (e.g., <img src="http://attacker-controlled-url">, <link>, <script>, etc.).
When the PDF is generated, the server makes an outbound HTTP request to the attacker-specified URL. This allows full Server-Side Request Forgery (SSRF), enabling the attacker to:
Probe internal network services (internal IP addresses, Docker containers, cloud metadata endpoints, etc.).
Access sensitive internal resources that are not reachable from the internet.
Potentially chain the SSRF with other vulnerabilities (e.g., local file read via file:// if allowed, or further exploitation of internal services). |
|---|
| 원천 | ⚠️ https://drive.google.com/file/d/1zC8gMYeIfZi3CsK6RXBQINU_mllXH_6n/view?usp=drive_link |
|---|
| 사용자 | hai271120 (UID 96497) |
|---|
| 제출 | 2026. 04. 09. PM 02:17 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 05. 08. PM 09:54 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 362345 [Akaunting 3.1.21 Invoice PDF Rendering config/dompdf.php 권한 상승] |
|---|
| 포인트들 | 20 |
|---|