Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4203 | 1 Ibm | 1 Api Connect | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
|
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from the host OS and potentially carry out SSRF attacks. IBM X-Force ID: 159124.
|
|||||
| CVE-2019-3809 | 1 Moodle | 1 Moodle | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
|
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
|
|||||
| CVE-2019-3395 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
|
|||||
| CVE-2019-20872 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
|
|||||
| CVE-2019-20474 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.
|
|||||
| CVE-2019-20408 | 1 Atlassian | 1 Jira | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
|
|||||
| CVE-2019-20055 | 1 Liquidpixels | 1 Liquifire Os | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substring followed by a URL in square brackets.
|
|||||
| CVE-2019-1872 | 1 Cisco | 1 Telepresence Video Communication Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series software could allow an unauthenticated, remote attacker to cause an affected system to send arbitrary network requests. The vulnerability is due to improper restrictions on network services in the affected software. An attacker could exploit this vulnerability by sending malicious requests to the affected system. A successful exploit could allow the attacker to send arbitrary network requests sour ...
Show More |
|||||
| CVE-2019-1679 | 1 Cisco | 2 Telepresence Conductor, Telepresence Video Communication Server | 2024-11-21 | 4.0 MEDIUM | 5.0 MEDIUM |
|
A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attack ...
Show More |
|||||
| CVE-2019-19999 | 1 Halo | 1 Halo | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
|
|||||
| CVE-2019-19835 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.
|
|||||
| CVE-2019-19261 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
|
|||||
| CVE-2019-18846 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.0 MEDIUM | 5.0 MEDIUM |
|
OX App Suite through 7.10.2 allows SSRF.
|
|||||
| CVE-2019-18394 | 1 Igniterealtime | 1 Openfire | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
|
|||||
| CVE-2019-18379 | 1 Symantec | 1 Messaging Gateway | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a server-side request forgery (SSRF) exploit, which is a type of issue that can let an attacker send crafted requests from the backend server of a vulnerable web application or access services available through the loopback interface.
|
|||||
| CVE-2019-18355 | 1 Thycotic | 1 Secret Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7.
|
|||||
| CVE-2019-17670 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
|
|||||
| CVE-2019-17669 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
|
|||||
| CVE-2019-17566 | 2 Apache, Oracle | 18 Batik, Api Gateway, Business Intelligence and 15 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
|
|||||
| CVE-2019-17400 | 1 Universal Office Converter Project | 1 Universal Office Converter | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
|
|||||
| CVE-2019-16948 | 1 Enghouse | 1 Web Chat | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see on the product's host). The response from open ports is different than from closed ports. The product does not allow one to change the protocol: anything except http(s) will throw an error; however, it ...
Show More |
|||||
| CVE-2019-16932 | 1 Themeisle | 1 Visualizer | 2024-11-21 | 5.8 MEDIUM | 10.0 CRITICAL |
|
A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.
|
|||||
| CVE-2019-15731 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so.
|
|||||
| CVE-2019-15730 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1. The Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server.
|
|||||
| CVE-2019-15728 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in GitLab Community and Enterprise Edition 10.1 through 12.2.1. Protections against SSRF attacks on the Kubernetes integration are insufficient, which could have allowed an attacker to request any local network resource accessible from the GitLab server.
|
|||||
| CVE-2019-15494 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21.
|
|||||
| CVE-2019-15164 | 1 Tcpdump | 1 Libpcap | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source.
|
|||||
| CVE-2019-15033 | 1 Pydio | 1 Pydio | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
|
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
|
|||||
| CVE-2019-15021 | 1 Zingbox | 1 Inspector | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network.
|
|||||
| CVE-2019-14704 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field.
|
|||||
| CVE-2019-14476 | 1 Adremsoft | 1 Netcrunch | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) vulnerability in the NetCrunch server. Every user can trick the server into performing SMB requests to other systems.
|
|||||
| CVE-2019-14255 | 1 Go-camo Project | 1 Go-camo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version 1.1.4 allows a remote attacker to perform HTTP requests to internal endpoints.
|
|||||
| CVE-2019-14225 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
OX App Suite 7.10.1 and 7.10.2 allows SSRF.
|
|||||
| CVE-2019-13335 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.
|
|||||
| CVE-2019-13121 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0.2. The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. It has Incorrect Access Control.
|
|||||
| CVE-2019-13020 | 1 Trms | 1 Tightrope Media Carousel | 2024-11-21 | 6.4 MEDIUM | 10.0 CRITICAL |
|
The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF. This has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to hijack the trust the user and the browser have with the website and could serve malicious content from a third-party attacker-controlled system. Second, arguably more severe, is the potential for an attacker to circumvent firewall controls, by proxying traffic, unauthenticated, into the internal net ...
Show More |
|||||
| CVE-2019-12996 | 1 Mendix | 1 Mendix | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Mendix 7.23.5 and earlier, issue in XML import mappings allow DOCTYPE declarations in the XML input that is potentially unsafe.
|
|||||
| CVE-2019-12994 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
|
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.
|
|||||
| CVE-2019-12959 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.
|
|||||
| CVE-2019-12852 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
|
|||||