all InfoSec news
NextChat Server-Side Request Forgery / Cross-Site Scripting
June 25, 2024, 7:21 a.m. | Rémy Marot
Tenable Research Advisories www.tenable.com
NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.
The vulnerability exists because of the following code snippet :
// Validate the endpoint to prevent potential SSRF attacks
if (
!mergedAllowedWebDavEndpoints.some(
(allowedEndpoint) => endpoint?.startsWith(allowedEndpoint),
)
)
This check seems incomplete because it validates if the URL specified in the endpoint GET parameter starts with …
api attacks code cross-site endpoint forgery parameter prevent request scripting server server-side request forgery ssrf validation vulnerability webdav
More from www.tenable.com / Tenable Research Advisories
Rockwell Automation ThinManager ThinServer Multiple Vulnerabilities
4 days, 4 hours ago |
www.tenable.com
NextChat Server-Side Request Forgery / Cross-Site Scripting
4 days, 8 hours ago |
www.tenable.com
SSRF Security Feature Bypass in Azure AI and ML Studios
1 week, 5 days ago |
www.tenable.com
Microsoft Azure Firewall Bypass Vulnerability
3 weeks, 5 days ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
Watch Officer and Operations Officer
@ Interclypse | Arlington, VA, US
Sales Development Representative
@ Devo | United States
Principal Software Engineer
@ Oracle | Seattle, WA, United States
Engineering Manager, Cloud - TDIR (Remote)
@ CrowdStrike | USA CA Remote
Linux System Administrator II
@ Peraton | Fort Meade, MD, United States
Linux System Administrator
@ Peraton | Fort Meade, MD, United States