id: CVE-2024-11044

info:
  name: Stable Diffusion Webui 1.10.0 - Open Redirect
  author: DhiyaneshDK
  severity: medium
  description: |
    An open redirect vulnerability exists in Stable-Diffusion-Webui 1.10.0, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs.
  impact: |
    Unauthenticated attackers can redirect users to malicious URLs via the file parameter, facilitating phishing attacks and credential theft.
  remediation: |
    Update Stable Diffusion Webui to a version newer than 1.10.0.
  reference:
    - https://huntr.com/bounties/ee942e5e-4987-4f81-ba83-014fec6b33b3
  classification:
    epss-score: 0.01375
    epss-percentile: 0.80731
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="stable-diffusion-webui"
  tags: cve,cve2024,huntr,redirect,oss,stable_diffusion_webui,automatic1111,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(tolower(body), "stable-diffusion-webui", "k-diffusion", "content=\"stable diffusion")'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/file=https://oast.pro"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.pro.*$'
# digest: 490a0046304402207637f249814f4c8b1105e13eaa43b29a6eea2bdce928f51f8a6c5c0dd625f603022050a82ecd09c9e0778ab8d73e82a8276723fdbcdfe91b49d03ce43baab810bc04:922c64590222798bb761d5b6d8e72950