POC for CVE 2021-35391

• Vulnerability Type: Full Read Server Side Request Forgery (SSRF)
• Component: Custom Email-Templates
• Vendor: Deskpro
• Product: Deskpro Cloud Platform and on-premise
• Fix-Version: 2021.1.7 from 2021-07-06
• Attacker: an admin user.
• Impact: an attacker can execute internal URLs to fetch content form internal hosts such as cloud metadata etc
• Vectors: an attacker just need to create a custom slack app and enter internal url followed by 303 redirect.
  
  
  

  Video PoC