[CVE-2023-33616] Server-side request forgery (SSRF)

Exploit Author: Dat Nguyen aka datnlq of VietSunshine Cyber Security Services

Vendor of Product: CraftCMS

Affected Product Code Base: 3.7.59

CVE: CVE-2023-33614

Description: Craft CMS version 3.7.59 is vulnerable of XSS vulnerability, which allows remote unauthenticated attacker to execute javascript code via error and message parameter.

Steps to reproduce:

  • Api admin/actions/dashboard/get-feed-items, and admin/actions/dashboard/save-widget-settings are vulnerable of SSRF, which allows user can scan network, finding internal port and internal web applications.

Last updated