Total
1195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-29153 | 2 Fedoraproject, Hashicorp | 2 Fedora, Consul | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. | |||||
CVE-2022-24789 | 1 Orckestra | 1 C1 Cms | 2024-02-28 | 6.5 MEDIUM | 7.6 HIGH |
C1 CMS is an open-source, .NET based Content Management System (CMS). Versions prior to 6.12 allow an authenticated user to exploit Server Side Request Forgery (SSRF) by causing the server to make arbitrary GET requests to other servers in the local network or on localhost. The attacker may also truncate arbitrary files to zero size (effectively delete them) leading to denial of service (DoS) or altering application logic. The authenticated user may unknowingly perform the actions by visiting a specially crafted site. Patched in C1 CMS v6.12, no known workarounds exist. | |||||
CVE-2022-34013 | 1 Zhyd | 1 Oneblog | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module. | |||||
CVE-2022-0136 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. GitLab was vulnerable to a blind SSRF attack through the Project Import feature. | |||||
CVE-2022-29188 | 1 Stripe | 1 Smokescreen | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). This only impacted the HTTP proxy functionality of Smokescreen. HTTPS requests were not impacted. Smokescreen version 0.0.4 contains a patch for this issue. | |||||
CVE-2021-36203 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request. | |||||
CVE-2022-28616 | 1 Hp | 1 Oneview | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView. | |||||
CVE-2022-31393 | 1 Jizhicms | 1 Jizhicms | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. | |||||
CVE-2022-0766 | 1 Calibre-web Project | 1 Calibre-web | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | |||||
CVE-2022-31390 | 1 Jizhicms | 1 Jizhicms | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. | |||||
CVE-2021-33581 | 1 Softwareag | 1 Mashzone Nextgen | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. This occurs in com.idsscheer.ppmmashup.web.webservice.impl.ZPrestoAdminWebService. | |||||
CVE-2022-23644 | 1 Joinbookwyrm | 1 Bookwyrm | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
BookWyrm is a decentralized social network for tracking reading habits and reviewing books. The functionality to load a cover via url is vulnerable to a server-side request forgery attack. Any BookWyrm instance running a version prior to v0.3.0 is susceptible to attack from a logged-in user. The problem has been patched and administrators should upgrade to version 0.3.0 As a workaround, BookWyrm instances can close registration and limit members to trusted individuals. | |||||
CVE-2022-28090 | 1 Ujcms | 1 Jspxcms | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=. | |||||
CVE-2017-20106 | 1 Khoros | 1 Lithium Forum | 2024-02-28 | 3.6 LOW | 4.4 MEDIUM |
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | |||||
CVE-2022-1191 | 1 Livehelperchat | 1 Live Helper Chat | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96. | |||||
CVE-2022-30049 | 1 Ruifang-tech | 1 Rebuild | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. | |||||
CVE-2022-29612 | 1 Sap | 2 Host Agent, Netweaver Abap | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application. | |||||
CVE-2022-28117 | 1 Naviwebs | 1 Navigate Cms | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter. | |||||
CVE-2022-31830 | 1 Baidu | 1 Kity Minder | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php. | |||||
CVE-2022-31386 | 1 Nbnbk Project | 1 Nbnbk | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter. |