Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28090: Jspxcms 10.2.0版本 后台存在SSRF · Issue #I4ZKDR · jspxcms/Jspxcms - Gitee.com

Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=.

CVE
Open in Source
#vulnerability#js#git#ssrf

When not logged in, the access trigger point will jump to the login page

![payload1](https://images.gitee.com/uploads/images/2022/0325/150016_20132aac_2109467.png “屏幕截图.png”)

After login access trigger point: /cmscp/ext/collect/fetch_url.do?url=https://www.baidu.com/

![输入图片说明](https://images.gitee.com/uploads/images/2022/0325/150055_2f969283_2109467.png “屏幕截图.png”)

This vulnerability can realize the function of intranet port detection, access different ports, open and open echoes will be different

![输入图片说明](https://images.gitee.com/uploads/images/2022/0325/150246_d1996c5d_2109467.png “屏幕截图.png”)

![输入图片说明](https://images.gitee.com/uploads/images/2022/0325/150255_ecd40632_2109467.png “屏幕截图.png”)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE