Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Caddy vulnerable to cross-origin config application via local admin API /load (caddy)
Vulnerability Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
CVSS Information
N/A
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Caddy 跨站请求伪造漏洞
Vulnerability Description
Caddy是Caddy公司的一款开源、跨平台的HTTP/Web服务器。 Caddy 2.11.1之前版本存在跨站请求伪造漏洞,该漏洞源于本地caddy管理API在未启用来源强制时接受跨域请求,可能导致应用攻击者提供的配置。
CVSS Information
N/A
Vulnerability Type
N/A