CVE-2024-38514

Name of the Vulnerable Software and Affected Versions NextChat versions prior to 2.12.4

Description The issue is related to a Server-Side Request Forgery (SSRF) vulnerability. This is due to a lack of validation of the endpoint GET parameter on the "WebDav API endpoint". The SSRF can be used to perform arbitrary HTTPS requests from the vulnerable instance, supporting MKCOL, PUT, and GET methods. It can also target users and make them execute arbitrary JavaScript code in their browser.

Recommendations For versions prior to 2.12.4, update to version 2.12.4 to resolve the issue. As a temporary workaround, consider restricting access to the WebDav API endpoint until the update is applied. Avoid using the endpoint parameter in the affected API endpoint until the issue is resolved.