漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Squidex has Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction
Vulnerability Description
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
Squidex 安全漏洞
Vulnerability Description
Squidex是Squidex开源的一个内容管理系统。 Squidex 7.23.0之前版本存在安全漏洞,该漏洞源于Restore API未验证用户提供的Url参数URI方案,允许使用file://协议,可能导致经过身份验证的管理员强制后端服务器与本地文件系统交互,造成本地文件交互和敏感系统信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A