CVE-2020-35579

Name of the Vulnerable Software and Affected Versions tindy2013 subconverter version 0.6.4

Description The issue concerns a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it. However, it does not account for the possibility that the external request target may indirectly redirect back to this original /sub endpoint, potentially leading to a request loop and a denial of service.

Recommendations For version 0.6.4, consider disabling the /sub API endpoint until a patch is available to prevent potential denial of service attacks. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the url parameter in the affected API endpoint until the issue is resolved.