Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL
Vulnerability Description
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Papra 代码问题漏洞
Vulnerability Description
Papra是Papra开源的一个文档管理与归档平台。 Papra 26.4.0之前版本存在代码问题漏洞,该漏洞源于Papra webhook系统允许经过身份验证的用户注册任意URL作为webhook端点,且未验证目标地址,可能导致服务器在每个文档事件中向注册的URL(包括localhost、内部网络范围和云提供商元数据端点)发出出站HTTP POST请求。
CVSS Information
N/A
Vulnerability Type
N/A