Unauth HTTP SSRF in Nuance Ai Training Platform
I submitted another HTTP SSRF in MS services via MSRC recently, this time within an insecure api.php endpoint I found on train.digital.nuance.com.
This was a full HTTP SSRF, capable of interacting with internal services, and could be used for both GET and POST requests, including sending full GET/POST bodies with arbitrary parameter/value pairs to arbitrary resources.
Bounty? None. A few weeks after submission, MS responded that they confirmed the bug, were investigating the issue, and asked for any more information I could provide.