Total
1250 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-18753 | 1 Typecho | 1 Typecho | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Typecho V1.1 allows remote attackers to send shell commands via base64-encoded serialized data, as demonstrated by SSRF. | |||||
CVE-2018-20596 | 1 Jspxcms | 1 Jspxcms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Jspxcms v9.0.0 allows SSRF. | |||||
CVE-2018-1000421 | 1 Apache | 1 Mesos | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
CVE-2018-15517 | 1 Dlink | 1 Central Wifimanager | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. | |||||
CVE-2019-8982 | 1 Wavemaker | 1 Wavemarker Studio | 2024-02-28 | 6.8 MEDIUM | 9.6 CRITICAL |
com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF. | |||||
CVE-2018-18569 | 1 Dundas | 1 Dundas Bi | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
The Dundas BI server before 5.0.1.1010 is vulnerable to a Server-Side Request Forgery attack, allowing an attacker to forge arbitrary requests (with certain restrictions) that will be executed on behalf of the attacker, via the viewUrl parameter of the "export the dashboard as an image" feature. This could be leveraged to provide a proxy to attack other servers (internal or external) or to perform network scans of external or internal networks. | |||||
CVE-2018-13404 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.0 MEDIUM | 4.1 MEDIUM |
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. | |||||
CVE-2018-20528 | 1 Jeecms | 1 Jeecms | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
JEECMS 9 has SSRF via the ueditor/getRemoteImage.jspx upfile parameter. | |||||
CVE-2019-1003027 | 1 Jenkins | 1 Octopusdeploy | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise. | |||||
CVE-2024-1965 | 2024-02-28 | N/A | 6.5 MEDIUM | ||
Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users. |