Ahmedgomaaa

**Name of the Vulnerable Software and Affected Versions** Squidex versions up to and including 7.21.0 **Description** Squidex is an open source headless content management system and content management hub. The `url` parameter within the webhook configuration in the Rules engine does not validate or restrict destination IP addresses, accepting local addresses like 127.0.0.1 or localhost. When a rule is triggered, the backend server makes an HTTP request to the user-supplied URL and logs the full HTTP response in the rule execution log (the `lastDump` field), accessible via the API. This transforms a "Blind" Server-Side Request Forgery (SSRF) into a "Full Read" SSRF, allowing access to the full HTTP response. **Recommendations** Versions prior to 7.21.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.