Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Discourse sending email function exist Server side request forgery SSRF #10509

Merged
merged 2 commits into from Aug 24, 2020

Conversation

purple-WL
Copy link

1、First, send a new email
image

2、Choose to upload images from a website
image

3、send mail
image

4、The email has been sent.
image

5、Our remote server received a GET request from the site!
image

6、The vulnerability was tested in both versions 2.3.2 and 2.6
微信截图_20200823142228

Renamed from `private_messages` to `personal_messages` without
deprecation because the `private_messages` advanced search filter never
worked in the first place when it was implemented.
@purple-WL purple-WL changed the base branch from stable to tests-passed August 24, 2020 04:07
@discoursebuild discoursebuild merged commit 2f043dc into tests-passed Aug 24, 2020
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants