Viktor Chuchurski

**Name of the Vulnerable Software and Affected Versions** Canarytokens versions prior to the latest Docker image (after `sha-097d91a`) **Description** A Cross-Site Scripting issue was identified in the "Cloned Website" Canarytoken. The creator of a slow-redirect Canarytoken can insert Javascript into the destination URL of their slow redirect token. When the creator later browses the management page for their own Canarytoken, the Javascript executes, resulting in a self-XSS. An attacker could create a Canarytoken with this self-XSS and send the management link to a victim, allowing the Javascript to execute when they click on it. However, no sensitive information, such as session information, will be disclosed to the malicious actor. **Recommendations** For self-hosted Canarytokens installations, update by pulling the latest Docker image, or any Docker image after `sha-097d91a`. As a temporary workaround, consider restricting access to the management page of the Canarytoken until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Canarytokens versions prior to `sha-8ea5315` **Description** Canarytokens help track activity and actions on a network. The Webhook alert feature in Canarytokens.org was vulnerable to a blind Server-Side Request Forgery (SSRF) prior to `sha-8ea5315`. When a Canarytoken is created, users can choose to receive alerts via email or a webhook. If a webhook is supplied, the site makes a test request to the supplied URL to ensure it accepts alert notification HTTP requests. No safety checks were performed on the URL, leading to the SSRF vulnerability. The SSRF is blind because the content of the response is not displayed to the creating user; they are simply told whether an error occurred in making the test request. Using the Blind SSRF, it was possible to map out open ports for IPs inside the Canarytokens.org infrastructure. **Recommendations** For self-hosted Canarytokens installations, update by pulling the latest Docker image, or any Docker image after `sha-097d91a`. As a temporary workaround, consider restricting the use of the Webhook alert feature until the issue is resolved. Avoid using the Webhook alert feature with untrusted URLs to minimize the risk of exploitation.