Total
1241 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23927 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-02-28 | 5.5 MEDIUM | 6.4 MEDIUM |
| OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. | |||||
| CVE-2021-21973 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). | |||||
| CVE-2021-27329 | 1 Frendi | 1 Frendica | 2024-02-28 | 10.0 HIGH | 10.0 CRITICAL |
| Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. | |||||
| CVE-2020-15297 | 1 Bitdefender | 1 Update Server | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294. | |||||
| CVE-2020-27626 | 1 Jetbrains | 1 Youtrack | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. | |||||
| CVE-2020-10770 | 1 Redhat | 1 Keycloak | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | |||||
| CVE-2021-21349 | 4 Debian, Fedoraproject, Oracle and 1 more | 14 Debian Linux, Fedora, Banking Enterprise Default Management and 11 more | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2020-15822 | 1 Jetbrains | 1 Youtrack | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
| In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped. | |||||
| CVE-2021-3204 | 1 Webware | 1 Webdesktop | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server. | |||||
| CVE-2021-21342 | 4 Debian, Fedoraproject, Oracle and 1 more | 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more | 2024-02-28 | 5.8 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-22178 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 5.0 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration. | |||||
| CVE-2020-12529 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports. | |||||
| CVE-2021-21009 | 3 Adobe, Linux, Microsoft | 3 Campaign Classic, Linux Kernel, Windows | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
| Adobe Campaign Classic Gold Standard 10 (and earlier), 20.3.1 (and earlier), 20.2.3 (and earlier), 20.1.3 (and earlier), 19.2.3 (and earlier) and 19.1.7 (and earlier) are affected by a server-side request forgery (SSRF) vulnerability. Successful exploitation could allow an attacker to use the Campaign instance to issue unauthorized requests to internal or external resources. | |||||
| CVE-2020-36200 | 1 Kaspersky | 1 Tinycheck | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| TinyCheck before commits 9fd360d and ea53de8 allowed an authenticated attacker to send an HTTP GET request to the crafted URLs. | |||||
| CVE-2019-17566 | 2 Apache, Oracle | 18 Batik, Api Gateway, Business Intelligence and 15 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | |||||
| CVE-2020-35561 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports. | |||||
| CVE-2020-27624 | 1 Jetbrains | 1 Youtrack | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. | |||||
| CVE-2020-26032 | 1 Zammad | 1 Zammad | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. | |||||
| CVE-2020-5014 | 1 Ibm | 1 Datapower Gateway | 2024-02-28 | 4.6 MEDIUM | 6.7 MEDIUM |
| IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247. | |||||
| CVE-2020-7328 | 1 Mcafee | 1 Mvision Endpoint | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| External entity attack vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers to gain control of a resource or trigger arbitrary code execution via improper input validation of an HTTP request, where the content for the attack has been loaded into ePO by an ePO administrator. | |||||