Total
1195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-12959 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter. | |||||
CVE-2019-6793 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 6.8 MEDIUM | 7.0 HIGH |
An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue. | |||||
CVE-2019-15033 | 1 Pydio | 1 Pydio | 2024-02-28 | 4.0 MEDIUM | 7.7 HIGH |
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring. | |||||
CVE-2019-9174 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF. | |||||
CVE-2019-8451 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. | |||||
CVE-2019-6516 | 1 Wso2 | 1 Dashboard Server | 2024-02-28 | 5.0 MEDIUM | 5.8 MEDIUM |
An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent workstations (network-scanning), aka SSRF. | |||||
CVE-2019-11565 | 1 Print My Blog Project | 1 Print My Blog | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Server Side Request Forgery (SSRF) exists in the Print My Blog plugin before 1.6.7 for WordPress via the site parameter. | |||||
CVE-2019-7616 | 1 Elastic | 1 Kibana | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. | |||||
CVE-2019-9827 | 1 Hawt | 1 Hawtio | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI. | |||||
CVE-2018-13103 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
OX App Suite 7.8.4 and earlier allows SSRF. | |||||
CVE-2019-5725 | 1 Qibosoft | 1 Qibosoft | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
qibosoft through V7 allows remote attackers to read arbitrary files via the member/index.php main parameter, as demonstrated by SSRF to a URL on the same web site to read a .sql file. | |||||
CVE-2018-16794 | 1 Microsoft | 2 Active Directory Federation Services, Windows Server 2016 | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls. | |||||
CVE-2018-12809 | 1 Adobe | 1 Experience Manager | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Adobe Experience Manager versions 6.4 and earlier have a Server-Side Request Forgery vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
CVE-2018-1999017 | 1 Pydio | 1 Pydio | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. This attack appears to be exploitable via the attacker gaining access to an administrative account, enters a URL into Upgrade Engine, and reloads the page or presses "Check Now". This vulnerability appears to have been fixed in 8.2.1. | |||||
CVE-2018-16444 | 1 Seacms | 1 Seacms | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter. | |||||
CVE-2019-1003028 | 1 Jenkins | 1 Jms Messaging | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint. | |||||
CVE-2019-6257 | 1 Std42 | 1 Elfinder | 2024-02-28 | 4.0 MEDIUM | 7.7 HIGH |
A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php. | |||||
CVE-2018-20228 | 1 Subsonic | 1 Subsonic | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. | |||||
CVE-2018-15516 | 1 Dlink | 1 Central Wifimanager | 2024-02-28 | 3.5 LOW | 5.8 MEDIUM |
The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices allows remote attackers to conduct a PORT command bounce scan via port 8000, resulting in SSRF. | |||||
CVE-2018-10511 | 1 Trendmicro | 1 Control Manager | 2024-02-28 | 6.4 MEDIUM | 10.0 CRITICAL |
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations. |