Critical Vulnerability Information Vulnerability Type: Server-Side Request Forgery (SSRF) Affected Product: Sonic Blogging Platform (go-sonic/sonic 1.1.4) Vulnerability Description: - An SSRF vulnerability exists in the theme fetching functionality. - An authenticated administrator can submit a malicious URL, causing the server to send HTTP requests to arbitrary internal or external URLs, or read local files via the protocol. Vulnerability Details: 1. SSRF via Theme Fetching API: - In the file , the function directly accepts a user-provided URL and passes it to the function without any validation or sanitization. - Vulnerable Code Snippet: Exploitation Vectors: - Internal Network Scanning: Attackers can probe internal services by specifying internal IP addresses. - Local File Access: Use the protocol to access local files on the server. - Cloud Metadata Access: In cloud environments (e.g., AWS/GCP/Azure), attackers can access instance metadata endpoints. - DNS-Based Detection: Attackers can use DNSLog services to confirm outgoing requests.