Total
1167 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36043 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2021-09-08 | 6.0 MEDIUM | 6.6 MEDIUM |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled. | |||||
| CVE-2020-14160 | 1 Thecodingmachine | 1 Gotenberg | 2021-09-01 | 5.0 MEDIUM | 7.5 HIGH |
| An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources. | |||||
| CVE-2021-28627 | 1 Adobe | 1 Experience Manager | 2021-08-31 | 6.5 MEDIUM | 8.8 HIGH |
| Adobe Experience Manager Cloud Service offering, as well as versions 6.5.8.0 (and below) is affected by a Server-side Request Forgery. An authenticated attacker could leverage this vulnerability to contact systems blocked by the dispatcher. Exploitation of this issue does not require user interaction. | |||||
| CVE-2021-22255 | 1 Baserow | 1 Baserow | 2021-08-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| SSRF in URL file upload in Baserow <1.1.0 allows remote authenticated users to retrieve files from the internal server network exposed over HTTP by inserting an internal address. | |||||
| CVE-2021-24472 | 1 Qantumthemes | 2 Kentharadio, Onair2 | 2021-08-27 | 7.5 HIGH | 9.8 CRITICAL |
| The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website. | |||||
| CVE-2020-25353 | 1 Rconfig | 1 Rconfig | 2021-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. | |||||
| CVE-2021-37711 | 1 Shopware | 1 Shopware | 2021-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2021-37353 | 1 Nagios | 1 Nagios Xi Docker Wizard | 2021-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php. | |||||
| CVE-2021-32603 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2021-08-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafted web requests. | |||||
| CVE-2021-20788 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2021-08-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| Server-side request forgery (SSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote authenticated attacker to conduct a port scan from the product and/or obtain information from the internal Web server. | |||||
| CVE-2020-4974 | 1 Ibm | 9 Engineering Lifecycle Optimization - Engineering Insights, Engineering Requirements Quality Assistant On-premises, Engineering Test Management and 6 more | 2021-08-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 192434. | |||||
| CVE-2021-31216 | 1 Siren | 1 Investigate | 2021-07-28 | 5.5 MEDIUM | 8.1 HIGH |
| Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default). An attacker with access to the Investigate installation can specify an arbitrary URL in the parameters of the image proxy route and fetch external URLs as the Investigate process on the host. | |||||
| CVE-2021-22726 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-28 | 5.5 MEDIUM | 8.1 HIGH |
| A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to perform unintended actions or access to data when crafted malicious parameters are submitted to the charging station web server. | |||||
| CVE-2020-15594 | 1 Zohocorp | 1 Application Control Plus | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. | |||||
| CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | |||||
| CVE-2020-11885 | 1 Wso2 | 1 Enterprise Integrator | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. | |||||
| CVE-2020-8830 | 1 Commscope | 2 Ruckus Zoneflex R500, Ruckus Zoneflex R500 Firmware | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen. | |||||
| CVE-2020-8540 | 1 Zohocorp | 1 Manageengine Desktop Central | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | |||||
| CVE-2020-24570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link. | |||||
| CVE-2021-33213 | 1 Element-it | 1 Http Commander | 2021-07-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address. | |||||