A security flaw has been discovered in moxi159753 Mogu Blog v2 up to 5.2. Impacted is the function LocalFileServiceImpl.uploadPictureByUrl of the file /file/uploadPicsByUrl. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md | Exploit |
| https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md#proof-of-concept | Exploit |
| https://vuldb.com/?ctiid.333823 | Permissions Required VDB Entry |
| https://vuldb.com/?id.333823 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.692105 | Third Party Advisory VDB Entry |
Configurations
History
03 Dec 2025, 22:02
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:mogublog_project:mogublog:*:*:*:*:*:*:*:* | |
| First Time |
Mogublog Project
Mogublog Project mogublog |
|
| References | () https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md - Exploit | |
| References | () https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md#proof-of-concept - Exploit | |
| References | () https://vuldb.com/?ctiid.333823 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.333823 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.692105 - Third Party Advisory, VDB Entry |
01 Dec 2025, 08:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-01 08:15
Updated : 2025-12-03 22:02
NVD link : CVE-2025-13814
Mitre link : CVE-2025-13814
CVE.ORG link : CVE-2025-13814
JSON object : View
Products Affected
mogublog_project
- mogublog
CWE
CWE-918
Server-Side Request Forgery (SSRF)