CVE-2023-46945
Server-Side Request Forgery in QD 20230821 Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qd-today | qd | From 20220208 (inc) to 20230821 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-46945 is a Server-Side Request Forgery (SSRF) vulnerability in the QD product versions from QD-20220208 up to QD-20230821. It occurs in QD's OCR (Optical Character Recognition) function, where an attacker can manipulate the URL of the verification code image. This manipulation causes the server to send unauthorized external requests.
How can this vulnerability impact me? :
Exploiting this SSRF vulnerability allows an attacker to make the vulnerable server initiate requests to internal resources. This can potentially enable the attacker to access or interact with internal systems that are normally inaccessible from outside, leading to unauthorized information disclosure or further attacks within the internal network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2023-46945 is a Server-Side Request Forgery (SSRF) vulnerability in the QD product's OCR function, where an attacker manipulates the URL of the verification code image to make the server send unauthorized external requests.
To detect this vulnerability on your network or system, you can monitor for unusual outbound HTTP requests originating from the QD server, especially requests to internal or unexpected external resources that are triggered by the OCR verification code URL.
While specific commands are not provided in the resources, typical detection methods include capturing and analyzing HTTP traffic logs or using packet capture tools to identify suspicious requests. For example, using tools like tcpdump or Wireshark to capture traffic from the QD server and filtering for HTTP requests to unusual destinations.
- Use tcpdump to capture HTTP traffic: tcpdump -i <interface> 'tcp port 80 or 443'
- Analyze logs for unexpected outbound requests from the QD server to internal IPs or unknown external URLs.
- Review application logs related to the OCR verification code URL handling for suspicious URL manipulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2023-46945 involve preventing the exploitation of the SSRF vulnerability in the QD OCR function.
- Restrict or validate the URLs used in the OCR verification code function to prevent attackers from specifying arbitrary URLs.
- Implement network-level controls such as firewall rules to block unauthorized outbound requests from the QD server to internal or sensitive resources.
- Monitor and audit outbound traffic from the QD server to detect and block suspicious requests.
- Apply any available patches or updates from the QD project that address this vulnerability once released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2023-46945 is a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to manipulate the server into making unauthorized requests to internal resources. This can potentially lead to unauthorized access or interaction with sensitive internal systems.
Such unauthorized access risks could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access. If exploited, this vulnerability might lead to data breaches or exposure of protected information, thereby violating these regulations.