Steps to reproduce:
- Make sure the office server is running.
- As guest (or any user with view right) go to the main page of the wiki.
in the browsers console.
An error is displayed.
The content of https://example.com/index.html is displayed without styling. This demonstrates server side request forgery that can be used to expose data from internal services that are only accessible from the host. There seem to be limits what contents are displayed, in particular the URL seems to need an ending that resembles a file but apart from that it also seems to display different errors depending on if the URL returns an error or not.
This can be exploited in any wiki page, in comments or also via the HTMLConverter as demonstrated above.