Onlinejudge
Monthly
Server-side request forgery (SSRF) in QingdaoU OnlineJudge up to version 1.6.1 allows authenticated remote attackers to perform arbitrary HTTP requests via the judge_server_heartbeat endpoint's service_url parameter, enabling potential exfiltration of internal data, interaction with internal services, or lateral movement within the target network. The vendor has not responded to disclosure attempts, and no official patch has been released.
In OnlineJudge 2.0, the sandbox has an incorrect access control vulnerability that can write a file anywhere. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Server-side request forgery (SSRF) in QingdaoU OnlineJudge up to version 1.6.1 allows authenticated remote attackers to perform arbitrary HTTP requests via the judge_server_heartbeat endpoint's service_url parameter, enabling potential exfiltration of internal data, interaction with internal services, or lateral movement within the target network. The vendor has not responded to disclosure attempts, and no official patch has been released.
In OnlineJudge 2.0, the sandbox has an incorrect access control vulnerability that can write a file anywhere. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.