Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41412 | 1 Perfsonar | 1 Perfsonar | 2025-04-24 | N/A | 8.6 HIGH |
|
An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.
|
|||||
| CVE-2023-6294 | 1 Sygnoos | 1 Popup Builder | 2025-04-24 | N/A | 7.2 HIGH |
|
The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.
|
|||||
| CVE-2022-35508 | 1 Proxmox | 3 Proxmox Mail Gateway, Pve Http Server, Virtual Environment | 2025-04-24 | N/A | 9.8 CRITICAL |
|
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions an ...
Show More |
|||||
| CVE-2025-29458 | 1 Mybb | 1 Mybb | 2025-04-24 | N/A | 7.6 HIGH |
|
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
|
|||||
| CVE-2025-29457 | 1 Mybb | 1 Mybb | 2025-04-24 | N/A | 7.6 HIGH |
|
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
|
|||||
| CVE-2022-43880 | 1 Ibm | 1 Qradar Wincollect | 2025-04-24 | N/A | 4.4 MEDIUM |
|
IBM QRadar WinCollect Agent 10.0 through 10.1.2 could allow a privileged user to cause a denial of service. IBM X-Force ID: 240151.
|
|||||
| CVE-2025-3691 | 1 Mirweiye | 1 Seven Bears Library Cms | 2025-04-24 | 3.3 LOW | 2.7 LOW |
|
A vulnerability was found in mirweiye Seven Bears Library CMS 2023. It has been classified as problematic. Affected is an unknown function of the component Add Link Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-56736 | 1 Apache | 1 Hertzbeat | 2025-04-23 | N/A | 6.5 MEDIUM |
|
Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat (incubating): before 1.7.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
|
|||||
| CVE-2025-27501 | 1 Openziti | 1 Openziti | 2025-04-23 | N/A | 8.6 HIGH |
|
OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request, resulting in a potential Server-Side Request Forgery (SSRF) vulnerability. The fixed version has moved the request to the external controller from the server side to the client side, thereby elimina ...
Show More |
|||||
| CVE-2025-29450 | 1 Lm21 | 1 Twonav | 2025-04-23 | N/A | 6.5 MEDIUM |
|
An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the site settings component.
|
|||||
| CVE-2025-29451 | 1 Seopanel | 1 Seo Panel | 2025-04-23 | N/A | 7.6 HIGH |
|
An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Mail Setting component.
|
|||||
| CVE-2025-29452 | 1 Seopanel | 1 Seo Panel | 2025-04-23 | N/A | 7.6 HIGH |
|
An issue in Seo Panel 4.11.0 allows a remote attacker to obtain sensitive information via the Proxy Manager component.
|
|||||
| CVE-2025-3787 | 1 Pbootcms | 1 Pbootcms | 2025-04-23 | 3.3 LOW | 2.7 LOW |
|
A vulnerability was found in PbootCMS 3.2.5. It has been classified as problematic. Affected is an unknown function of the component Image Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-57252 | 1 Otcms | 1 Otcms | 2025-04-22 | N/A | 4.3 MEDIUM |
|
OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily.
|
|||||
| CVE-2025-29453 | 1 Personal-management-system | 1 Personal Management System | 2025-04-22 | N/A | 6.5 MEDIUM |
|
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the my-contacts-settings component.
|
|||||
| CVE-2025-29454 | 1 Personal-management-system | 1 Personal Management System | 2025-04-22 | N/A | 6.5 MEDIUM |
|
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Upload function.
|
|||||
| CVE-2025-29455 | 1 Personal-management-system | 1 Personal Management System | 2025-04-22 | N/A | 6.5 MEDIUM |
|
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Travel Ideas" function.
|
|||||
| CVE-2025-29456 | 1 Personal-management-system | 1 Personal Management System | 2025-04-22 | N/A | 6.5 MEDIUM |
|
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the create Notes function.
|
|||||
| CVE-2022-29309 | 1 Wangl1989 | 1 Mysiteforme | 2025-04-22 | 5.0 MEDIUM | 7.5 HIGH |
|
mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery.
|
|||||
| CVE-2022-46364 | 1 Apache | 1 Cxf | 2025-04-22 | N/A | 9.8 CRITICAL |
|
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
|
|||||
| CVE-2017-10973 | 1 Finecms Project | 1 Finecms | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header.
|
|||||
| CVE-2017-9066 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | 5.0 MEDIUM | 8.6 HIGH |
|
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
|
|||||
| CVE-2017-3546 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
|
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as ...
Show More |
|||||
| CVE-2017-9458 | 1 Paloaltonetworks | 1 Pan-os | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.
|
|||||
| CVE-2017-7553 | 1 Redhat | 1 Mobile Application Platform | 2025-04-20 | 6.5 MEDIUM | 6.3 MEDIUM |
|
The external_request api call in App Studio (millicore) allows server side request forgery (SSRF). An attacker could use this flaw to probe the network internal resources, and access restricted endpoints.
|
|||||
| CVE-2017-11291 | 1 Adobe | 1 Connect | 2025-04-20 | 6.4 MEDIUM | 10.0 CRITICAL |
|
An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A Server-Side Request Forgery (SSRF) vulnerability exists that could be abused to bypass network access controls.
|
|||||
| CVE-2017-6130 | 1 F5 | 2 Ssl Intercept Iapp, Ssl Orchestrator | 2025-04-20 | 5.8 MEDIUM | 7.4 HIGH |
|
F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulnerable to a Server-Side Request Forgery (SSRF) attack when deployed using the Dynamic Domain Bypass (DDB) feature feature plus SNAT Auto Map option for egress traffic.
|
|||||
| CVE-2017-0906 | 1 Recurly | 1 Recurly Client Python | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result in compromise of API keys or other critical resources.
|
|||||
| CVE-2017-7200 | 1 Openstack | 1 Glance | 2025-04-20 | 5.0 MEDIUM | 5.8 MEDIUM |
|
An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.
|
|||||
| CVE-2017-9307 | 1 Allen Disk Project | 1 Allen Disk | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter.
|
|||||
| CVE-2017-1000017 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server
|
|||||
| CVE-2017-7569 | 1 Vbulletin | 1 Vbulletin | 2025-04-20 | 5.0 MEDIUM | 8.6 HIGH |
|
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
|
|||||
| CVE-2017-15943 | 1 Paloaltonetworks | 1 Pan-os | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The configuration file import for applications, spyware and vulnerability objects functionality in the web interface in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, and 7.1.x before 7.1.14 allows remote attackers to conduct server-side request forgery (SSRF) attacks and consequently obtain sensitive information via vectors related to parsing of external entities.
|
|||||
| CVE-2016-7051 | 1 Fasterxml | 1 Jackson-dataformat-xml | 2025-04-20 | 5.0 MEDIUM | 8.6 HIGH |
|
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
|
|||||
| CVE-2017-11149 | 1 Synology | 1 Download Station | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.
|
|||||
| CVE-2017-14585 | 1 Atlassian | 2 Hipchat Data Center, Hipchat Server | 2025-04-20 | 9.0 HIGH | 7.2 HIGH |
|
A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected.
|
|||||
| CVE-2017-9506 | 1 Atlassian | 1 Oauth | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
|
|||||
| CVE-2016-6001 | 1 Ibm | 1 Forms Experience Builder | 2025-04-20 | 3.5 LOW | 3.1 LOW |
|
IBM Forms Experience Builder could be susceptible to a server-side request forgery (SSRF) from the application design interface allowing for some information disclosure of internal resources.
|
|||||
| CVE-2017-7566 | 1 Mybb | 1 Mybb | 2025-04-20 | 4.0 MEDIUM | 7.7 HIGH |
|
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
|
|||||
| CVE-2017-12071 | 1 Synology | 1 Photo Station | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
|
|||||