An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter
An attacker sends a crafted HTTP POST request to the PDFMyURL service, passing a malicious value in the 'url' parameter. The service, without proper validation, executes the request to the address specified by the attacker, which constitutes a classic SSRF (Server-Side Request Forgery) scenario. This mechanism can be further exploited to execute arbitrary code on the server or access internal infrastructure resources.
An attacker can gain access to sensitive information processed by the service and execute arbitrary code on the vulnerable server (RCE), which may lead to complete system compromise.
Apply patches available from the vendor according to references. As a temporary measure, it is recommended to restrict access to the service and monitor requests directed to the 'url' parameter for attempts to access internal network resources.
PDFMyURL service — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H