Adloop
Monthly
Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the `final_url` argument passed to the `_validate_urls` function in `src/adloop/ads/write.py`, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. A public proof-of-concept exploit exists via GitHub issue #41, and a vendor-released patch is available in version 0.10.0.
Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the `final_url` argument passed to the `_validate_urls` function in `src/adloop/ads/write.py`, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. A public proof-of-concept exploit exists via GitHub issue #41, and a vendor-released patch is available in version 0.10.0.