Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" "Create assets in the volume" Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no...