Total
1167 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1679 | 1 Cisco | 2 Telepresence Conductor, Telepresence Video Communication Server | 2023-03-23 | 4.0 MEDIUM | 5.0 MEDIUM |
| A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected. | |||||
| CVE-2021-36396 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 7.5 HIGH |
| In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. | |||||
| CVE-2022-37938 | 1 Hpe | 1 Serviceguard For Linux | 2023-03-10 | N/A | 9.8 CRITICAL |
| Unauthenticated server side request forgery in HPE Serviceguard Manager | |||||
| CVE-2023-26492 | 1 Monospace | 1 Directus | 2023-03-10 | N/A | 7.5 HIGH |
| Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. | |||||
| CVE-2022-46973 | 1 Anji-plus | 1 Report | 2023-03-10 | N/A | 9.8 CRITICAL |
| Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2023-22493 | 1 Rsshub | 1 Rsshub | 2023-03-07 | N/A | 7.5 HIGH |
| RSSHub is an open source RSS feed generator. RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. An attacker could also use this vulnerability to send requests to internal or any other servers or resources on the network, potentially gain access to sensitive information that would not normally be accessible and amplifying the impact of the attack. The patch for this issue can be found in commit a66cbcf. | |||||
| CVE-2022-27234 | 1 Intel | 1 Computer Vision Annotation Tool | 2023-03-06 | N/A | 6.5 MEDIUM |
| Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2019-7616 | 1 Elastic | 1 Kibana | 2023-03-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. | |||||
| CVE-2021-33926 | 1 Plone | 1 Plone | 2023-03-02 | N/A | 8.8 HIGH |
| An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet. | |||||
| CVE-2018-19571 | 1 Gitlab | 1 Gitlab | 2023-03-01 | 4.0 MEDIUM | 7.7 HIGH |
| GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks. | |||||
| CVE-2022-29153 | 2 Fedoraproject, Hashicorp | 2 Fedora, Consul | 2023-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. | |||||
| CVE-2023-25162 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-23 | N/A | 5.3 MEDIUM |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-25557 | 1 Datahub Project | 1 Datahub | 2023-02-21 | N/A | 9.1 CRITICAL |
| DataHub is an open-source metadata platform. The DataHub frontend acts as a proxy able to forward any REST or GraphQL requests to the backend. The goal of this proxy is to perform authentication if needed and forward HTTP requests to the DataHub Metadata Store (GMS). It has been discovered that the proxy does not adequately construct the URL when forwarding data to GMS, allowing external users to reroute requests from the DataHub Frontend to any arbitrary hosts. As a result attackers may be able to reroute a request from originating from the frontend proxy to any other server and return the result. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076. | |||||
| CVE-2022-45027 | 1 Perfsonar | 1 Perfsonar | 2023-02-16 | N/A | 5.3 MEDIUM |
| perfSONAR before 4.4.6, when performing participant discovery, incorrectly uses an HTTP request header value to determine a local address. | |||||
| CVE-2022-1767 | 1 Diagrams | 1 Drawio | 2023-02-16 | 5.0 MEDIUM | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. | |||||
| CVE-2022-1722 | 1 Diagrams | 1 Drawio | 2023-02-16 | 2.1 LOW | 3.3 LOW |
| SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses | |||||
| CVE-2022-1713 | 1 Diagrams | 1 Drawio | 2023-02-16 | 5.0 MEDIUM | 7.5 HIGH |
| SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information. | |||||
| CVE-2020-35561 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2023-02-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. There is an SSRF in the HA module allowing an unauthenticated attacker to scan for open ports. | |||||
| CVE-2020-35558 | 2 Helmholz, Mbconnectline | 4 Myrex24, Myrex24.virtual, Mbconnect24 and 1 more | 2023-02-16 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual through 2.11.2. There is an SSRF in the in the MySQL access check, allowing an attacker to scan for open ports and gain some information about possible credentials. | |||||
| CVE-2023-23943 | 1 Nextcloud | 1 Mail | 2023-02-15 | N/A | 4.3 MEDIUM |
| Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app. | |||||