CVE-2020-15002

Vulnerability

The OX App Suite versions up to 7.10.3 contain a server-side request forgery (SSRF) vulnerability in the /ajax/messaging/message API endpoint. This endpoint does not properly validate user-supplied URLs, allowing an attacker to force the server to make arbitrary HTTP requests to internal or external hosts.

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to the /ajax/messaging/message endpoint with a manipulated message parameter containing a target URL. No authentication is required if the endpoint is exposed, and the server will initiate a request to the attacker-specified location, potentially revealing internal services or data.

Impact

Successful exploitation can lead to information disclosure by accessing internal resources, network reconnaissance, and potential further compromise of the internal infrastructure. The attacker may be able to bypass firewall restrictions and interact with services that are not intended to be publicly accessible.

Mitigation

The vulnerability is present in OX App Suite versions up to 7.10.3. The fixed version is not explicitly disclosed in the available references. Users should upgrade to the latest version of OX App Suite (7.10.4 or later) if available. If patching is not possible, network-level access controls should be applied to restrict access to the vulnerable endpoint.