Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In PartKeepr before v1.4.0, the functionality to upload attachments using a URL when creating a part, does not validate that requests can be send to local ports, allowing SSRF attacks and port enumeration.
The application should not allow access to local ports.
Local ports can be access inside the server.
The text was updated successfully, but these errors were encountered:
I attach the link to the advisory https://fluidattacks.com/advisories/joplin/
Sorry, something went wrong.
No branches or pull requests
Bug description
In PartKeepr before v1.4.0, the functionality to upload attachments using a URL when creating a part, does not validate that requests can be send to local ports, allowing SSRF attacks and port enumeration.
Steps to reproduce
Expected behavior
The application should not allow access to local ports.
Observed behavior
Local ports can be access inside the server.
Screenshots and files
System Information
The text was updated successfully, but these errors were encountered: