Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
Vulnerability Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Ech0 代码问题漏洞
Vulnerability Description
Ech0是L1nSn0w个人开发者的一个自托管个人微博客平台。 Ech0 4.2.8之前版本存在代码问题漏洞,该漏洞源于GET /api/website/title端点未经验证即向任意URL发起服务器端HTTP请求,可能导致攻击者访问内部网络服务、云元数据端点或本地服务。
CVSS Information
N/A
Vulnerability Type
N/A