Total
1195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23560 | 1 Lexmark | 256 B2236, B2236 Firmware, B2338 and 253 more | 2024-02-28 | N/A | 9.8 CRITICAL |
In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation. | |||||
CVE-2022-23464 | 1 Nepxion | 1 Discovery | 2024-02-28 | N/A | 7.5 HIGH |
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds. | |||||
CVE-2022-32457 | 1 Digiwin | 1 Business Process Management | 2024-02-28 | N/A | 5.3 MEDIUM |
Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response. | |||||
CVE-2022-31776 | 1 Ibm | 1 Datapower Gateway | 2024-02-28 | N/A | 8.8 HIGH |
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433. | |||||
CVE-2022-36376 | 1 Rankmath | 1 Seo | 2024-02-28 | N/A | 9.8 CRITICAL |
Server-Side Request Forgery (SSRF) vulnerability in Rank Math SEO plugin <= 1.0.95 at WordPress. | |||||
CVE-2022-40296 | 1 Phppointofsale | 1 Php Point Of Sale | 2024-02-28 | N/A | 9.8 CRITICAL |
The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems. | |||||
CVE-2022-38298 | 1 Appsmith | 1 Appsmith | 2024-02-28 | N/A | 8.8 HIGH |
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint. | |||||
CVE-2022-20951 | 1 Cisco | 1 Broadworks Messaging Server | 2024-02-28 | N/A | 6.5 MEDIUM |
A vulnerability in the web-based management interface of Cisco BroadWorks CommPilot application could allow an authenticated, remote attacker to perform a server-side request forgery (SSRF) attack on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to obtain confidential information from the BroadWorks server and other device on the network. {{value}} ["%7b%7bvalue%7d%7d"])}]] | |||||
CVE-2022-30579 | 1 Tibco | 2 Spotfire Analytics Platform, Spotfire Server | 2024-02-28 | N/A | 8.4 HIGH |
The Web Player component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to execute blind Server Side Request Forgery (SSRF) on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 12.0.0 and TIBCO Spotfire Server: version 12.0.0. | |||||
CVE-2022-2900 | 1 Parse-url Project | 1 Parse-url | 2024-02-28 | N/A | 9.1 CRITICAL |
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0. | |||||
CVE-2022-31132 | 1 Nextcloud | 1 Mail | 2024-02-28 | N/A | 9.8 CRITICAL |
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php` | |||||
CVE-2022-2267 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-02-28 | N/A | 4.3 MEDIUM |
The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has an AJAX action that allows any logged in users (such as subscriber) to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | |||||
CVE-2022-22982 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | N/A | 7.5 HIGH |
The vCenter Server contains a server-side request forgery (SSRF) vulnerability. A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service. | |||||
CVE-2022-42494 | 1 Aioseo | 1 All In One Seo | 2024-02-28 | N/A | 6.5 MEDIUM |
Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress. | |||||
CVE-2022-27622 | 1 Synology | 1 Diskstation Manager | 2024-02-28 | N/A | 4.3 MEDIUM |
Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
CVE-2021-27693 | 1 Publiccms | 1 Publiccms | 2024-02-28 | N/A | 9.8 CRITICAL |
Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage. | |||||
CVE-2022-2912 | 1 Craw-data Project | 1 Craw-data | 2024-02-28 | N/A | 4.3 MEDIUM |
The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF). | |||||
CVE-2021-43959 | 1 Atlassian | 2 Jira Service Desk, Jira Service Management | 2024-02-28 | N/A | 5.7 MEDIUM |
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability in the CSV importing feature of JSM Insight. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. The affected versions are before version 4.13.20, from version 4.14.0 before 4.20.8, and from version 4.21.0 before 4.22.2. | |||||
CVE-2022-38292 | 1 Slims | 1 Senayan Library Management System | 2024-02-28 | N/A | 9.8 CRITICAL |
SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php. | |||||
CVE-2022-41477 | 1 Webidsupport | 1 Webid | 2024-02-28 | N/A | 9.1 CRITICAL |
A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories. |