We have an unnamed dashboard application here that allows users to specify objects that will be rendered into the dashboard through JSON blobs. Users can provide dashboard templates in the form of a JSON blob, including an item array of which items to render. There is also a feature to export the dashboard as a PDF document which it handled by a headless browser.

The problem stems from the supported iframeobject type which produces an iframe. While these frames could not be pointed at internal URLs due to the requirement that the URLs be https. Frames within the framed page did not have this restriction. An attacker could render a remote https URL, and on that page include an iframe to an internal address, when rendered as a PDF they would visually see the response page.

This was used to access an internal application running on localhost which would print among other things session tokens of active users.