Total
1256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27693 | 1 Publiccms | 1 Publiccms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage. | |||||
| CVE-2021-27670 | 1 Appspace | 1 Appspace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. | |||||
| CVE-2021-27329 | 1 Frendi | 1 Frendica | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. | |||||
| CVE-2021-27312 | 2024-11-21 | N/A | 9.4 CRITICAL | ||
| Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php. | |||||
| CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. | |||||
| CVE-2021-27103 | 1 Accellion | 1 Fta | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later. | |||||
| CVE-2021-26855 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2021-26715 | 1 Mitreid | 1 Connect | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network. | |||||
| CVE-2021-26699 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used. | |||||
| CVE-2021-26072 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2021-25972 | 1 Tuzitio | 1 Camaleon Cms | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server. | |||||
| CVE-2021-25939 | 1 Arangodb | 1 Arangodb | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost. | |||||
| CVE-2021-25640 | 1 Apache | 1 Dubbo | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. | |||||
| CVE-2021-25241 | 2 Microsoft, Trendmicro | 3 Windows, Apex One, Worry-free Business Security | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a sweep. | |||||
| CVE-2021-25236 | 2 Microsoft, Trendmicro | 3 Windows, Officescan, Worry-free Business Security | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a specific sweep. | |||||
| CVE-2021-24472 | 1 Qantumthemes | 2 Kentharadio, Onair2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website. | |||||
| CVE-2021-24371 | 1 Carrcommunications | 1 Rsvpmaker | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack. | |||||
| CVE-2021-24150 | 1 Likebtn-like-button Project | 1 Likebtn-like-button | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The LikeBtn WordPress Like Button Rating ? LikeBtn WordPress plugin before 2.6.32 was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF). | |||||
| CVE-2021-23927 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
| OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. | |||||
| CVE-2021-23718 | 1 Ssrf-agent Project | 1 Ssrf-agent | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery (SSRF) via the defaultIpChecker function. It fails to properly validate if the IP requested is private. | |||||