Fred-Bf

**Name of the Vulnerable Software and Affected Versions** NextChat versions prior to 2.12.4 **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability. This is due to a lack of validation of the `endpoint` GET parameter on the "WebDav API endpoint". The SSRF can be used to perform arbitrary HTTPS requests from the vulnerable instance, supporting MKCOL, PUT, and GET methods. It can also target users and make them execute arbitrary JavaScript code in their browser. **Recommendations** For versions prior to 2.12.4, update to version 2.12.4 to resolve the issue. As a temporary workaround, consider restricting access to the WebDav API endpoint until the update is applied. Avoid using the `endpoint` parameter in the affected API endpoint until the issue is resolved.