Jizhicms Server-Side Request Forgery Vulnerability in User Evaluation, Message, and Comment Modules
Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Jizhicms version 2.5.4. This issue resides within the User Evaluation, Message, and Comment modules, where the application improperly validates URLs for imported network images. This lack of validation allows users to send internal network addresses, enabling the server to make requests to those addresses and potentially access sensitive internal resources.
Impact
Exploitation of this vulnerability allows for Server-Side Request Forgery, where an attacker can make the server send requests to internal services or networks, potentially leading to further exploitation or information disclosure.
Reproduction
To reproduce this vulnerability, upload an image through the User Evaluation, Message, or Comment modules that links to an internal network address. The server will process this request, triggering the SSRF vulnerability by accessing the internal resource and returning the content.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.