EIQ-2023-0002#

ID	EIQ-2023-0002
Product	EclecticIQ Intelligence Center
CVE	N/A
Description	Bypassing report content sanitization using API calls allows possible SSRF and directory traversal
Date	28 February 2023
Severity	3 - HIGH
CVSSv3 score	7.7
Status	✅ 3.0.0
Assessment	The Intelligence Center (IC) is vulnerable to server-side request forgery (SSRF) and directory traversal attacks when a report entity is created on the IC containing an anchor tag (`<a href="...">Text</a>`) pointing to a local or remote resource. Such a report entity can be created on the IC when: a user creates the report entity through the `/private/entities` or `/api/v1/entities` endpoints. or when the IC receives such an entity through manual uploads or an incoming feed. When this report entity is exported as a PDF, the IC creates the PDF and embeds the content of the resource specified in that anchor tag. Whomever subsequently opens the resulting PDF can click on the link created by the anchor tag and open the embedded resource. To replicate: A user with at least `modify entities` permissions creates a report entity by making or intercepting a POST request to the `/private/entities` or `/api/v1/entities/` API endpoint. This bypasses sanitization implemented on the IC UI. In the payload of the request, modify any of these fields: `data.title` `data.description` `data.short_description` and add a link to a local or remote resource with an anchor tag like this: // ... payload "description": "<a href=\"file:///etc/passwd\">Download file</a>", // ... payload Send the request. With a user with at least `read entiites` permissions open the newly created report entity and export is as a PDF. During the export, the IC reads the `/etc/passwd` file on its local filesystem and embeds it in the resulting PDF. With any user, open the PDF and click on “Download file”. The user should be able to open a text file containing the contents of the `/etc/passwd` file from the IC instance.
Mitigation	-
Affected versions	2.14.x and earlier.
Notes	N/A