Total
1195 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7911 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configuration and execute arbitrary code. | |||||
| CVE-2019-9187 | 1 Ikiwiki | 1 Ikiwiki | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs. | |||||
| CVE-2018-19495 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an SSRF vulnerability in the Prometheus integration. | |||||
| CVE-2019-6837 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could cause server configuration data to be exposed when an attacker modifies a URL. | |||||
| CVE-2018-19571 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 7.7 HIGH |
| GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks. | |||||
| CVE-2019-10686 | 1 Ctrip | 1 Apollo | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
| An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled. | |||||
| CVE-2019-3809 | 1 Moodle | 1 Moodle | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
| A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page. | |||||
| CVE-2019-12852 | 1 Jetbrains | 1 Youtrack | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168. | |||||
| CVE-2019-9621 | 1 Zimbra | 1 Collaboration Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component. | |||||
| CVE-2019-14704 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field. | |||||
| CVE-2016-10927 | 1 Neliosoftware | 1 Nelio Ab Testing | 2024-02-28 | 6.4 MEDIUM | 10.0 CRITICAL |
| The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php. | |||||
| CVE-2019-11066 | 1 Lightopenid Project | 1 Lightopenid | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| openid.php in LightOpenID through 1.3.1 allows SSRF via a crafted OpenID 2.0 assertion request using the HTTP GET method. | |||||
| CVE-2019-12153 | 1 Realobjects | 1 Pdfreactor | 2024-02-28 | 6.4 MEDIUM | 10.0 CRITICAL |
| Lack of validation in the HTML parser in RealObjects PDFreactor before 10.1.10722 leads to SSRF, allowing attackers to access network or file resources on behalf of the server by supplying malicious HTML content. | |||||
| CVE-2017-13667 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-02-28 | 6.5 MEDIUM | 9.9 CRITICAL |
| OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. | |||||
| CVE-2019-7913 | 1 Magento | 1 Magento | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code. | |||||
| CVE-2019-6981 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in the Feed component. | |||||
| CVE-2019-12161 | 1 Webpagetest | 1 Webpagetest | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
| WPO WebPageTest 19.04 allows SSRF because ValidateURL in www/runtest.php does not consider octal encoding of IP addresses (such as 0300.0250 as a replacement for 192.168). | |||||
| CVE-2019-12633 | 1 Cisco | 1 Unified Contact Center Express | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the affected system. An attacker could exploit this vulnerability by sending the user of the web application a crafted request. If the request is processed, the attacker could access the system and perform unauthorized actions. | |||||
| CVE-2019-15731 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. | |||||
| CVE-2019-4203 | 1 Ibm | 1 Api Connect | 2024-02-28 | 9.0 HIGH | 9.8 CRITICAL |
| IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from the host OS and potentially carry out SSRF attacks. IBM X-Force ID: 159124. | |||||