| Title | QingdaoU OnlineJudge <=v1.6.1 Stored SSRF |
|---|
| Description | A stored Server-Side Request Forgery (SSRF) vulnerability exists in the Judge Server dispatcher of QingdaoU OnlineJudge. An attacker with access to a judge server token can submit a malicious service_url via the /api/admin/judge_server_heartbeat endpoint, which is then stored in the database. When the application subsequently processes judge tasks, it uses this unvalidated URL to construct and send internal HTTP requests. This allows the attacker to force the server to make arbitrary requests to internal network resources, potentially leading to metadata exfiltration, internal network scanning, or remote code execution.
|
|---|
| Source | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/27 |
|---|
| User | Ana10gy (UID 93358) |
|---|
| Submission | 03/18/2026 10:10 (19 days ago) |
|---|
| Moderation | 04/04/2026 08:44 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355291 [QingdaoU OnlineJudge up to 1.6.1 judge_server_heartbeat Endpoint JudgeServer.service_url server-side request forgery] |
|---|
| Points | 20 |
|---|