| 标题 | akaunting 3.1.21 Server-Side Request Forgery |
|---|
| 描述 | SSRF in Invoice PDF Rendering via Unsanitized Notes HTML + Dompdf Remote Fetch Enabled
Product: Akaunting 3.1.21
Vulnerability Type: Server-Side Request Forgery (SSRF)
The invoice PDF generation process in Akaunting renders user-controlled Notes field as raw, unsanitized HTML and passes it directly to Dompdf. Because remote URL fetching is enabled by default in Dompdf (enable_remote => true), an authenticated user with permission to create or edit invoices can inject arbitrary external resource tags (e.g., <img src="http://attacker-controlled-url">, <link>, <script>, etc.).
When the PDF is generated, the server makes an outbound HTTP request to the attacker-specified URL. This allows full Server-Side Request Forgery (SSRF), enabling the attacker to:
Probe internal network services (internal IP addresses, Docker containers, cloud metadata endpoints, etc.).
Access sensitive internal resources that are not reachable from the internet.
Potentially chain the SSRF with other vulnerabilities (e.g., local file read via file:// if allowed, or further exploitation of internal services). |
|---|
| 来源 | ⚠️ https://drive.google.com/file/d/1zC8gMYeIfZi3CsK6RXBQINU_mllXH_6n/view?usp=drive_link |
|---|
| 用户 | hai271120 (UID 96497) |
|---|
| 提交 | 2026-04-09 14時17分 (2 月前) |
|---|
| 管理 | 2026-05-08 21時54分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 362345 [Akaunting 3.1.21 Invoice PDF Rendering config/dompdf.php 权限提升] |
|---|
| 积分 | 20 |
|---|