From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: Lightdash - Server-Side Request Forgery Session Takeover 2. Vulnerability Severity: High 3. Vulnerability Description: - Summary: Server-Side Request Forgery (SSRF) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When dashboards containing HTML elements are exported, they can trigger HTTP requests to an external domain that include the exporting user's session cookie. A threat actor could steal this cookie and use it to hijack application user sessions. 4. Vulnerability Impact: - Severity: HIGH – Exploitation of this vulnerability could lead to user session compromise and allow a threat actor to take over user sessions. If an administrative user is targeted, the threat actor could gain administrative control over the Lightdash instance. 5. Exploitation: - Proof of Concept: Exploitation requires a threat actor to inject HTML elements into a shared dashboard that point to a threat actor-controlled source. Any user who exports the dashboard will leak their session token to the threat actor. 6. Reproduction Steps: - 1. Log into the application with a user account that has permissions to create a new dashboard. - 2. Create a new markdown dashboard containing HTML injection payloads pointing to Burp Collaborator and save the dashboard. - 3. Click on the "Export Dashboard" menu and select "Generate preview". - 4. Wait for the preview to generate and observe an HTTP request to Burp Collaborator containing the session cookie of the user who initiated the preview generation. - 5. Share the dashboard with a simulated victim user. - 6. Log into the application as a simulated victim user and repeat the steps to generate a preview of the dashboard. - 7. Wait for the preview to generate and observe that the simulated victim user's session cookie is exfiltrated to Burp Collaborator. 7. Further Analysis: - A threat actor must be authenticated to the application and have the necessary permissions to create or edit a shared dashboard and inject a payload. Any user who exports the dashboard will trigger the vulnerability and leak their session token. A threat actor could wait for a user to trigger the SSRF during normal application interaction or force the user to perform the action via cross-site scripting, as described in CVE-2024-6585. 8. Vendor Analysis: - The vendor identified the root cause as Puppeteer setting sensitive headers and cookies on requests to the headless browser. The issue was remediated in version 0.1027.2. 9. Remediation Information: - Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1027.2 - Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch - GitHub Pull Request: lightdash/lightdash#9295 10. Timeline: - Date reported: 03/07/2024 - Date fixed: 03/08/2024 - Date disclosed: 08/30/2024 This information provides a detailed overview of the SSRF vulnerability in Lightdash, including its nature, impact, reproduction steps, further analysis, vendor response, remediation details, and timeline, aiding in understanding the severity and resolution of the issue.