EclecticIQ Intelligence Center




Bypassing report content sanitization using API calls allows possible SSRF and directory traversal


28 February 2023


3 - HIGH

CVSSv3 score



✅ 3.0.0


The Intelligence Center (IC) is vulnerable to server-side request forgery (SSRF) and directory traversal attacks when a report entity is created on the IC containing an anchor tag (<a href="...">Text</a>) pointing to a local or remote resource. Such a report entity can be created on the IC when:

  • a user creates the report entity through the /private/entities or /api/v1/entities endpoints.

  • or when the IC receives such an entity through manual uploads or an incoming feed.

When this report entity is exported as a PDF, the IC creates the PDF and embeds the content of the resource specified in that anchor tag. Whomever subsequently opens the resulting PDF can click on the link created by the anchor tag and open the embedded resource.

To replicate:

  1. A user with at least modify entities permissions creates a report entity by making or intercepting a POST request to the /private/entities or /api/v1/entities/ API endpoint. This bypasses sanitization implemented on the IC UI.

  2. In the payload of the request, modify any of these fields:

    • data.title

    • data.description

    • data.short_description

    and add a link to a local or remote resource with an anchor tag like this:

    // ... payload
    "description": "<a href=\"file:///etc/passwd\">Download file</a>",
    // ... payload
  3. Send the request.

  4. With a user with at least read entiites permissions open the newly created report entity and export is as a PDF.

    During the export, the IC reads the /etc/passwd file on its local filesystem and embeds it in the resulting PDF.

  5. With any user, open the PDF and click on “Download file”.

    The user should be able to open a text file containing the contents of the /etc/passwd file from the IC instance.



Affected versions

2.14.x and earlier.