Total
1195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-1725 | 1 Infoline-tr | 1 Project Management System | 2024-02-28 | N/A | 9.8 CRITICAL |
Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request Forgery.This issue affects Project Management System: before 4.09.31.125. | |||||
CVE-2023-30019 | 1 Evilmartians | 1 Imgproxy | 2024-02-28 | N/A | 5.3 MEDIUM |
imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter. | |||||
CVE-2018-17450 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 4.3 MEDIUM |
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via the Kubernetes integration, leading (for example) to disclosure of a GCP service token. | |||||
CVE-2023-24243 | 1 Cdata | 1 Arc | 2024-02-28 | N/A | 7.5 HIGH |
CData RSB Connect v22.0.8336 was discovered to contain a Server-Side Request Forgery (SSRF). | |||||
CVE-2023-25504 | 1 Apache | 1 Superset | 2024-02-28 | N/A | 6.5 MEDIUM |
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1. | |||||
CVE-2022-43183 | 1 Xuxueli | 1 Xxl-job | 2024-02-28 | N/A | 8.8 HIGH |
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. | |||||
CVE-2022-41609 | 1 Wordplus | 1 Better Messages | 2024-02-28 | N/A | 8.8 HIGH |
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress. | |||||
CVE-2023-24623 | 1 Paranoidhttp Project | 1 Paranoidhttp | 2024-02-28 | N/A | 7.5 HIGH |
Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses. | |||||
CVE-2022-40842 | 1 Ndk-design | 1 Ndkadvancedcustomizationfields | 2024-02-28 | N/A | 9.1 CRITICAL |
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php. | |||||
CVE-2023-26492 | 1 Monospace | 1 Directus | 2024-02-28 | N/A | 7.5 HIGH |
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. | |||||
CVE-2022-3841 | 1 Redhat | 1 Advanced Cluster Management For Kubernetes | 2024-02-28 | N/A | 7.8 HIGH |
RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauthenticated users making requests. | |||||
CVE-2023-24495 | 1 Tenable | 1 Tenable.sc | 2024-02-28 | N/A | 6.5 MEDIUM |
A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and internal services covertly. | |||||
CVE-2022-47635 | 1 Wildix | 1 Wms | 2024-02-28 | N/A | 9.8 CRITICAL |
Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php. | |||||
CVE-2022-25026 | 1 Rocketsoftware | 1 Trufusion Enterprise | 2024-02-28 | N/A | 7.5 HIGH |
A Server-Side Request Forgery (SSRF) in Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to gain access to sensitive resources on the internal network via a crafted HTTP request to /trufusionPortal/upDwModuleProxy. | |||||
CVE-2022-4201 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 5.3 MEDIUM |
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. | |||||
CVE-2022-23544 | 1 Metersphere | 1 Metersphere | 2024-02-28 | N/A | 6.1 MEDIUM |
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds. | |||||
CVE-2023-27271 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-02-28 | N/A | 7.5 HIGH |
In SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own admintools, leading to a high impact on availability. | |||||
CVE-2022-38203 | 1 Esri | 1 Portal For Arcgis | 2024-02-28 | N/A | 7.5 HIGH |
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212. | |||||
CVE-2022-46998 | 1 Taogogo | 1 Taocms | 2024-02-28 | N/A | 9.8 CRITICAL |
An issue in the website background of taocms v3.0.2 allows attackers to execute a Server-Side Request Forgery (SSRF). | |||||
CVE-2023-20062 | 1 Cisco | 4 Packaged Contact Center Enterprise, Unified Contact Center Enterprise, Unified Contact Center Express and 1 more | 2024-02-28 | N/A | 4.3 MEDIUM |
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities. |