Total
1195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-21349 | 4 Debian, Fedoraproject, Oracle and 1 more | 14 Debian Linux, Fedora, Banking Enterprise Default Management and 11 more | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
CVE-2020-15822 | 1 Jetbrains | 1 Youtrack | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped. | |||||
CVE-2021-3204 | 1 Webware | 1 Webdesktop | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server. | |||||
CVE-2021-21342 | 4 Debian, Fedoraproject, Oracle and 1 more | 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more | 2024-02-28 | 5.8 MEDIUM | 9.1 CRITICAL |
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
CVE-2021-22178 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 5.0 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration. | |||||
CVE-2020-12529 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports. | |||||
CVE-2021-21009 | 3 Adobe, Linux, Microsoft | 3 Campaign Classic, Linux Kernel, Windows | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
Adobe Campaign Classic Gold Standard 10 (and earlier), 20.3.1 (and earlier), 20.2.3 (and earlier), 20.1.3 (and earlier), 19.2.3 (and earlier) and 19.1.7 (and earlier) are affected by a server-side request forgery (SSRF) vulnerability. Successful exploitation could allow an attacker to use the Campaign instance to issue unauthorized requests to internal or external resources. | |||||
CVE-2020-36200 | 1 Kaspersky | 1 Tinycheck | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
TinyCheck before commits 9fd360d and ea53de8 allowed an authenticated attacker to send an HTTP GET request to the crafted URLs. | |||||
CVE-2019-17566 | 2 Apache, Oracle | 18 Batik, Api Gateway, Business Intelligence and 15 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | |||||
CVE-2020-35561 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports. | |||||
CVE-2020-27624 | 1 Jetbrains | 1 Youtrack | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. | |||||
CVE-2020-26032 | 1 Zammad | 1 Zammad | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. | |||||
CVE-2020-5014 | 1 Ibm | 1 Datapower Gateway | 2024-02-28 | 4.6 MEDIUM | 6.7 MEDIUM |
IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247. | |||||
CVE-2020-7328 | 1 Mcafee | 1 Mvision Endpoint | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
External entity attack vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers to gain control of a resource or trigger arbitrary code execution via improper input validation of an HTTP request, where the content for the attack has been loaded into ePO by an ePO administrator. | |||||
CVE-2019-14476 | 1 Adremsoft | 1 Netcrunch | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) vulnerability in the NetCrunch server. Every user can trick the server into performing SMB requests to other systems. | |||||
CVE-2020-24444 | 1 Adobe | 1 Experience Manager Forms Add-on | 2024-02-28 | 5.0 MEDIUM | 5.8 MEDIUM |
AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network. | |||||
CVE-2021-21311 | 2 Adminer, Debian | 2 Adminer, Debian Linux | 2024-02-28 | 6.4 MEDIUM | 7.2 HIGH |
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9. | |||||
CVE-2020-15594 | 1 Zohocorp | 1 Application Control Plus | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. | |||||
CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | |||||
CVE-2021-1272 | 1 Cisco | 1 Data Center Network Manager | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
A vulnerability in the session validation feature of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. This vulnerability is due to insufficient validation of parameters in a specific HTTP request by an attacker. An attacker could exploit this vulnerability by sending a crafted HTTP request to an authenticated user of the DCNM web application. A successful exploit could allow the attacker to bypass access controls and gain unauthorized access to the Device Manager application, which provides access to network devices managed by the system. |