POC for CVE 2021-35391
- Vulnerability Type: Full Read Server Side Request Forgery (SSRF)
- Component: Custom Email-Templates
- Vendor: Deskpro
- Product: Deskpro Cloud Platform and on-premise
- Fix-Version: 2021.1.7 from 2021-07-06
- Attacker: an admin user.
- Impact: an attacker can execute internal URLs to fetch content form internal hosts such as cloud metadata etc
- Vectors: an attacker just need to create a custom slack app and enter internal url followed by 303 redirect.