CVE-2024-27564
published 2024-03-05CVE-2024-27564: pictureproxy.php in the dirk1983 mm1.ltd source code f9f4bbc allows SSRF via the url parameter. NOTE: the references section has an archived copy of…
PriorityP275medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.64%
98.5th percentile
pictureproxy.php in the dirk1983 mm1.ltd source code f9f4bbc allows SSRF via the url parameter. NOTE: the references section has an archived copy of pictureproxy.php from its original GitHub location, but the repository name might later change because it is misleading.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dirk1983 | chatgpt | — | — |
| dirk1983 | mm1.ltd_source_code | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to pictureproxy.php where the 'url' parameter contains internal/private IP ranges or non-public hostnames, indicating SSRF exploitation attempts. ↗
- ·The repository name associated with this vulnerability may change over time as it was noted to be misleading; the archived copy of pictureproxy.php should be used as the authoritative reference for the vulnerable code. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xm2p-hxq8-xj3q: A Server-Side Request Forgery (SSRF) in pictureproxy
ghsa_unreviewed·2024-03-05
CVE-2024-27564 [MEDIUM] CWE-918 GHSA-xm2p-hxq8-xj3q: A Server-Side Request Forgery (SSRF) in pictureproxy
A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.
VulnCheck
ChatGPT pictureproxy.php Server-Side Request Forgery (SSRF)
vulncheck·2024·CVSS 5.8
CVE-2024-27564 [MEDIUM] ChatGPT pictureproxy.php Server-Side Request Forgery (SSRF)
ChatGPT pictureproxy.php Server-Side Request Forgery (SSRF)
A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.
Affected: ChatGPT ChatGPT
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-27&host_type=src&vulnerability=cve-2024-27564; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-05-08&host_type=src&vulnerability=cve-2024-27564; https://dashboard.shadowserver.org/statistics/honeypot/vul
No detection rules found.
No public exploits indexed.
https://github.com/dirk1983/chatgpt/issues/114https://web.archive.org/save/https://github.com/dirk1983/chatgpt/blob/f9f4bbc99eed7210b291ec116bd57b3d8276bee5/README.mdhttps://web.archive.org/save/https://github.com/dirk1983/chatgpt/issues/114https://web.archive.org/web/20250320031248/https://mm1.ltd/https://web.archive.org/web/20250320032559/https://github.com/dirk1983/chatgpt/blob/f9f4bbc99eed7210b291ec116bd57b3d8276bee5/pictureproxy.phphttps://github.com/dirk1983/chatgpt/issues/114
2024-03-05
Published
Exploited in the wild