Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20062 | 1 Cisco | 4 Packaged Contact Center Enterprise, Unified Contact Center Enterprise, Unified Contact Center Express and 1 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities.
|
|||||
| CVE-2023-20002 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2024-11-21 | N/A | 4.4 MEDIUM |
|
A vulnerability in Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to bypass access controls and conduct an SSRF attack through an affected device.
This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a user of the web application. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected system.
|
|||||
| CVE-2023-1971 | 1 Tpadmin Project | 1 Tpadmin | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in yuan1994 tpAdmin 1.3.12. Affected is the function remote of the file application\admin\controller\Upload.php. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225408. NOTE: This vulnerability only affects products that are no ...
Show More |
|||||
| CVE-2023-1725 | 1 Infoline-tr | 1 Project Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request Forgery.This issue affects Project Management System: before 4.09.31.125.
|
|||||
| CVE-2023-1634 | 1 Otcms | 1 Otcms | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in OTCMS 6.72. It has been classified as critical. Affected is the function UseCurl of the file /admin/info_deal.php of the component URL Parameter Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224016.
|
|||||
| CVE-2023-1046 | 1 Muyucms | 1 Muyucms | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in MuYuCMS 2.2. This affects an unknown part of the file /admin.php/update/getFile.html. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221805 was assigned to this vulnerability.
|
|||||
| CVE-2023-0574 | 1 Yugabyte | 1 Yugabytedb Managed | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing Functionality Not Properly Constrained by ACLs, Communication Channel Manipulation, Authentication Abuse.This issue affects Yugabyte Managed: from 2.0.0.0 through 2.13.0.0
|
|||||
| CVE-2022-4725 | 1 Amazon | 1 Aws Software Development Kit | 2024-11-21 | N/A | 5.5 MEDIUM |
|
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 is able to address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assign ...
Show More |
|||||
| CVE-2022-4096 | 1 Appsmith | 1 Appsmith | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.
|
|||||
| CVE-2022-48477 | 1 Jetbrains | 1 Hub | 2024-11-21 | N/A | 4.1 MEDIUM |
|
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
|
|||||
| CVE-2022-48321 | 1 Checkmk | 1 Checkmk | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API.
|
|||||
| CVE-2022-47872 | 1 Maccms | 1 Maccms | 2024-11-21 | N/A | 8.8 HIGH |
|
A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface address module.
|
|||||
| CVE-2022-46830 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 4.1 MEDIUM |
|
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.
|
|||||
| CVE-2022-45835 | 1 Phonepe | 1 Phonepe | 2024-11-21 | N/A | 5.8 MEDIUM |
|
Server-Side Request Forgery (SSRF) vulnerability in PhonePe PhonePe Payment Solutions.This issue affects PhonePe Payment Solutions: from n/a through 1.0.15.
|
|||||
| CVE-2022-45362 | 1 Paytm | 1 Payment Gateway | 2024-11-21 | N/A | 7.2 HIGH |
|
Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.This issue affects Paytm Payment Gateway: from n/a through 2.7.0.
|
|||||
| CVE-2022-45085 | 1 Gruparge | 1 Smartpower Web | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery.This issue affects Smartpower Web: before 23.01.01.
|
|||||
| CVE-2022-42890 | 2 Apache, Debian | 2 Batik, Debian Linux | 2024-11-21 | N/A | 7.5 HIGH |
|
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
|
|||||
| CVE-2022-42494 | 1 Aioseo | 1 All In One Seo | 2024-11-21 | N/A | 3.0 LOW |
|
Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.
|
|||||
| CVE-2022-42343 | 3 Adobe, Linux, Microsoft | 3 Campaign, Linux Kernel, Windows | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Adobe Campaign version 7.3.1 (and earlier) and 8.3.9 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2022-42183 | 1 Precisely | 1 Spectrum Spatial Analyst | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Server-Side Request Forgery (SSRF).
|
|||||
| CVE-2022-41949 | 1 Dhis2 | 1 Dhis 2 | 2024-11-21 | N/A | 5.0 MEDIUM |
|
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. In affected versions an authenticated DHIS2 user can craft a request to DHIS2 to instruct the server to make requests to external resources (like third party servers). This could allow an attacker, for example, to identify vulnerable services which might not be otherwise exposed to the public internet or to determine whether a specific file is present on the DHIS2 server. DHIS2 admi ...
Show More |
|||||
| CVE-2022-41906 | 1 Amazon | 1 Opensearch Notifications | 2024-11-21 | N/A | 8.7 HIGH |
|
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issu ...
Show More |
|||||
| CVE-2022-41609 | 1 Wordplus | 1 Better Messages | 2024-11-21 | N/A | 6.4 MEDIUM |
|
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.
|
|||||
| CVE-2022-41552 | 3 Hitachi, Linux, Microsoft | 5 Infrastructure Analytics Advisor, Ops Center Analyzer, Ops Center Viewpoint and 2 more | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Server-Side Request Forgery (SSRF) vulnerability in Hitachi Infrastructure Analytics Advisor on Linux (Data Center Analytics, Analytics probe components), Hitachi Ops Center Analyzer on Linux (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe components) allows Server Side Request Forgery.
This issue affects Hitachi Infrastructure Analytics Advisor: from 2.0.0-00 through 4.4.0-00; Hitachi Ops Center Analyzer: from 10.0.0-00 before 10.9.0-00.
|
|||||
| CVE-2022-41401 | 1 Openrefine | 1 Openrefine | 2024-11-21 | N/A | 6.5 MEDIUM |
|
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.
|
|||||
| CVE-2022-40700 | 12 Agence-press, Arcstone, Deano and 9 more | 15 Css Adder, Amo For Wp - Membership Management, Amp Toolbox and 12 more | 2024-11-21 | N/A | 8.2 HIGH |
|
Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce, Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management, Squidesma Theme Minifier, Paul Clark Styles styles, Designmodo Inc. WordPress Page Builder – Qards, Philip M ...
Show More |
|||||
| CVE-2022-40312 | 1 Givewp | 1 Givewp | 2024-11-21 | N/A | 5.5 MEDIUM |
|
Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.1.
|
|||||
| CVE-2022-40305 | 1 Canto | 1 Canto | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the /cwc/login login form.
|
|||||
| CVE-2022-3189 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specially crafted PHP script could use parameters from a HTTP request to create a URL capable of changing the host parameter. The changed host parameter in the HTTP could point to another host that will send a request to the host or IP specified in the changed host parameter.
|
|||||
| CVE-2022-39383 | 1 Linuxfoundation | 1 Kubevela | 2024-11-21 | N/A | 4.9 MEDIUM |
|
KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.
|
|||||
| CVE-2022-39276 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 3.5 LOW |
|
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target URL is not checked against the URL allow list defined by administrator. This issue has been patched, please upgrade to 10.0.4. There are currently n ...
Show More |
|||||
| CVE-2022-39241 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 7.6 HIGH |
|
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.
|
|||||
| CVE-2022-39239 | 1 Nuxtjs | 1 Netlify-ipx | 2024-11-21 | N/A | 6.1 MEDIUM |
|
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be achieved by requesting a malicious SVG with embedded scripts, which would then be served from the site domain. N ...
Show More |
|||||
| CVE-2022-39211 | 1 Nextcloud | 2 Nextcloud Enterprise Server, Nextcloud Server | 2024-11-21 | N/A | 3.0 LOW |
|
Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.
|
|||||
| CVE-2022-39055 | 1 Changingtec | 1 Rava Certificate Validation System | 2024-11-21 | N/A | 5.3 MEDIUM |
|
RAVA certificate validation system has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform SSRF attack to discover internal network topology base on query response.
|
|||||
| CVE-2022-39039 | 1 Aenrich | 1 A\+hrd | 2024-11-21 | N/A | 9.8 CRITICAL |
|
aEnrich’s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service.
|
|||||
| CVE-2022-38708 | 1 Ibm | 1 Cognos Analytics | 2024-11-21 | N/A | 6.5 MEDIUM |
|
IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local file system. IBM X-Force ID: 234180.
|
|||||
| CVE-2022-38298 | 1 Appsmith | 1 Appsmith | 2024-11-21 | N/A | 8.8 HIGH |
|
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.
|
|||||
| CVE-2022-38292 | 1 Slims | 1 Senayan Library Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
|
|||||
| CVE-2022-38212 | 1 Esri | 1 Portal For Arcgis | 2024-11-21 | N/A | 7.5 HIGH |
|
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.
|
|||||