Primary

Context

Givanz VvvebJs Server-Side Request Forgery and Arbitrary File Read Vulnerability

Vulnerability

A critical vulnerability in Givanz VvvebJs version 1.7.2 allows for Server-Side Request Forgery (SSRF) and arbitrary file reading. This issue arises from improper handling of user-supplied URLs in the 'file_get_contents' function within 'save.php'.

Impact

Exploitation of this vulnerability allows attackers to read arbitrary files on the server and execute internal requests.

Reproduction

To reproduce this vulnerability, send a request to 'save.php' with the 'action' parameter set to 'oembedProxy' and the 'url' parameter set to a file path, such as '/etc/passwd'. The response will contain the contents of the specified file, demonstrating the arbitrary file read capability. Additionally, internal requests can be made by setting the 'url' parameter to 'http://127.0.0.1', which will proxy the response from the local server.

Added: Dec 29, 2025, 8:21 PM

Updated: Dec 29, 2025, 8:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Givanz VvvebJs Server-Side Request Forgery and Arbitrary File Read Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

givanz VvvebJs

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating