Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Labels:
- attacker_script
- ssrf

Difficulty:
Unknown
Similar issues:

Description

Impact

The PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter.

However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram.

PoC

1. Use an OAST service (like Burp Collaborator) to capture the interaction.
2. Create a wiki page with the following content:

{{plantuml server="http://oqiusawt5ny84yw017u6qgnay14ssmgb.oastify.com"
@startuml
A -> B: SSRF Test
@enduml
{{/plantuml}}

2. Save and View the page.

3. The XWiki server initiates an HTTP connection to the specified target.

Attribution

Reported by: Łukasz Rybak GitHub: https://github.com/lukasz-rybak

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2025-11-25-20-31-34-295.png
92 kB
25/Nov/25 20:31
image-2025-11-25-20-31-57-213.png
69 kB
25/Nov/25 20:31
image-2025-11-25-20-32-25-311.png
58 kB
25/Nov/25 20:32
image-2025-11-26-06-54-50-628.png
80 kB
26/Nov/25 06:54

Activity

People

Assignee:: Łukasz Rybak

Reporter:: Łukasz Rybak

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: Yesterday 20:34

Updated:: 11 hours ago