Total
1167 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23800 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2023-11-17 | N/A | 6.5 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Vova Anokhin WP Shortcodes Plugin — Shortcodes Ultimate.This issue affects WP Shortcodes Plugin — Shortcodes Ultimate: from n/a through 5.12.6. | |||||
| CVE-2023-34013 | 1 Ays-pro | 1 Poll Maker | 2023-11-17 | N/A | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a through 4.6.2. | |||||
| CVE-2023-47121 | 1 Discourse | 1 Discourse | 2023-11-17 | N/A | 9.8 CRITICAL |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature. | |||||
| CVE-2023-6124 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 4.3 MEDIUM |
| Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14. | |||||
| CVE-2023-41239 | 1 Blubrry | 1 Powerpress | 2023-11-17 | N/A | 6.5 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry.This issue affects PowerPress Podcasting plugin by Blubrry: from n/a through 11.0.6. | |||||
| CVE-2023-46207 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2023-11-16 | N/A | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing.This issue affects Motors – Car Dealer, Classifieds & Listing: from n/a through 1.4.6. | |||||
| CVE-2022-45835 | 1 Phonepe | 1 Phonepe | 2023-11-16 | N/A | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in PhonePe PhonePe Payment Solutions.This issue affects PhonePe Payment Solutions: from n/a through 1.0.15. | |||||
| CVE-2023-46729 | 1 Sentry | 1 Sentry Software Development Kit | 2023-11-16 | N/A | 6.1 MEDIUM |
| sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0. | |||||
| CVE-2020-7329 | 1 Mcafee | 1 Mvision Endpoint | 2023-11-16 | 6.5 MEDIUM | 7.2 HIGH |
| Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully constructed XML files loaded by an ePO administrator. | |||||
| CVE-2020-7328 | 1 Mcafee | 1 Mvision Endpoint | 2023-11-16 | 6.5 MEDIUM | 7.2 HIGH |
| External entity attack vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers to gain control of a resource or trigger arbitrary code execution via improper input validation of an HTTP request, where the content for the attack has been loaded into ePO by an ePO administrator. | |||||
| CVE-2023-42361 | 1 Midori-global | 1 Better Pdf Exporter | 2023-11-15 | N/A | 7.8 HIGH |
| Local File Inclusion vulnerability in Midori-global Better PDF Exporter for Jira Server and Jira Data Center v.10.3.0 and before allows an attacker to view arbitrary files and cause other impacts via use of crafted image during PDF export. | |||||
| CVE-2023-46730 | 1 Group-office | 1 Group Office | 2023-11-14 | N/A | 8.8 HIGH |
| Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-39301 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2023-11-14 | N/A | 4.3 MEDIUM |
| A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read application data via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.1.2491 build 20230815 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.1.2488 build 20230812 and later QuTScloud c5.1.0.2498 and later | |||||
| CVE-2023-4769 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-11-13 | N/A | 8.8 HIGH |
| A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests. | |||||
| CVE-2023-0574 | 1 Yugabyte | 1 Yugabytedb Managed | 2023-11-10 | N/A | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing Functionality Not Properly Constrained by ACLs, Communication Channel Manipulation, Authentication Abuse.This issue affects Yugabyte Managed: from 2.0.0.0 through 2.13.0.0 | |||||
| CVE-2023-43982 | 1 Bontheme | 1 Socialfeed - Photos \& Video Using Instagram Api | 2023-11-09 | N/A | 9.8 CRITICAL |
| Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at insta_parser.php. This vulnerability allows attackers to use the vulnerable website as proxy to attack other websites or exfiltrate data via a HTTP call. | |||||
| CVE-2023-46725 | 1 Foodcoopshop | 1 Foodcoopshop | 2023-11-09 | N/A | 7.5 HIGH |
| FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability. | |||||
| CVE-2023-35896 | 3 Ibm, Linux, Microsoft | 3 Content Navigator, Linux Kernel, Windows | 2023-11-09 | N/A | 5.4 MEDIUM |
| IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 259247. | |||||
| CVE-2023-43798 | 1 Bigbluebutton | 1 Bigbluebutton | 2023-11-08 | N/A | 5.4 MEDIUM |
| BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton. | |||||
| CVE-2023-46236 | 1 Fogproject | 1 Fogproject | 2023-11-08 | N/A | 7.5 HIGH |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, a server-side-request-forgery (SSRF) vulnerability allowed an unauthenticated user to trigger a GET request as the server to an arbitrary endpoint and URL scheme. This also allows remote access to files visible to the Apache user group. Other impacts vary based on server configuration. Version 1.5.10 contains a patch. | |||||