Medium
CVE-2021-42079
An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. POC Step 1: Prepare the SSRF with a request like this: GE…
Tag: Server-Side Request Forgery (SSRF)
All CVEs associated with "Server-Side Request Forgery (SSRF)". Page 15/23 • 2666 CVEs.
Subscribe CVEs: RSS for “Server-Side Request Forgery (SSRF)” · RSS (High+Critical only)
About “Server-Side Request Forgery (SSRF)”
A curated feed of “Server-Side Request Forgery (SSRF)”-related CVEs appears below. We currently track 2666 CVEs for this tag (all time). In the last 365 days, 961 were published. Average CVSS is 6.9 (all time; 6.6 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-918 - Server-Side Request Forgery (SSRF), CWE-611 - Improper Restriction of XML External Entity Reference, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
In our taxonomy this topic maps to a HIGH impact class. Common exploitation patterns for this weakness can lead to high. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2023-07-10
2023-06-30
Critical
CVE-2023-35175
Certain HP LaserJet Pro print products are potentially vulnerable to Potential Remote Code Execution and/or Elevation of Privilege via Server-Side Request Forgery (SSRF) using the Web Service Eventin…
2023-06-27
Critical
CVE-2023-3432
Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.
2023-06-26
Medium
CVE-2023-33176
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `i…
2023-06-25
High
CVE-2023-36661
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3…
2023-06-22
High
CVE-2023-35133
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3…
2023-06-16
High
CVE-2023-24243
CData RSB Connect v22.0.8336 was discovered to contain a Server-Side Request Forgery (SSRF).
2023-06-15
Medium
CVE-2023-29292
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file sys…
Medium
CVE-2023-29291
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file sys…
2023-06-14
Medium
CVE-2023-3238
A vulnerability, which was classified as critical, has been found in OTCMS up to 6.62. This issue affects some unknown processing of the file /admin/read.php?mudi=getSignal. The manipulation of the a…
Medium
CVE-2023-3236
A vulnerability classified as critical has been found in mccms up to 2.6.5. This affects the function pic_save of the file sys/apps/controllers/admin/Comic.php. The manipulation of the argument pic l…
Medium
CVE-2023-3235
A vulnerability was found in mccms up to 2.6.5. It has been rated as critical. Affected by this issue is the function pic_api of the file sys/apps/controllers/admin/Comic.php. The manipulation of the…
Medium
CVE-2023-3233
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been classified as critical. Affected is the function get_image_base64 of the file api/controller/v1/PublicController.php. The manipu…
2023-06-13
Medium
CVE-2023-25609
A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated…
2023-06-10
Medium
CVE-2023-3188
Server-Side Request Forgery (SSRF) in GitHub repository owncast/owncast prior to 0.1.0.
2023-06-09
High
CVE-2023-2249
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure u…
High
CVE-2023-1895
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow au…
2023-06-08
Medium
CVE-2023-32750
Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the b…
Medium
CVE-2023-34959
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the so…
2023-06-06
Low
CVE-2023-32683
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server s…
Low
CVE-2023-3121
A vulnerability has been found in Dahua Smart Parking Management up to 20230528 and classified as problematic. This vulnerability affects unknown code of the file /ipms/imageConvert/image. The manipu…
2023-06-02
Medium
CVE-2023-29538
Under specific circumstances a WebExtension may have received a <code>jar:file:///</code> URI instead of a <code>moz-extension:///</code> URI during a load request. This leaked directory paths on the…
Medium
CVE-2023-23597
A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the `file://` context. Given a reliable exploit primitive, this ne…
2023-06-01
Medium
CVE-2023-28824
Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the data…
High
CVE-2023-23955
Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Server-Side Request Forgery vulnerability.
2023-05-31
Medium
CVE-2023-3015
A vulnerability has been found in yiwent Vip Video Analysis 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file data/title.php. The manipulation of…
2023-05-30
Medium
CVE-2023-2287
The Orbit Fox by ThemeIsle WordPress plugin before 2.10.24 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a serve…
High
CVE-2023-1938
The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSR…
2023-05-27
Medium
CVE-2023-2927
A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to se…
Low
CVE-2023-33184
Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02,…
2023-05-18
Medium
CVE-2023-20174
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side r…
Medium
CVE-2023-20173
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side r…
2023-05-17
High
CVE-2023-31848
davinci 0.3.0-rc is vulnerable to Server-side request forgery (SSRF).
2023-05-12
Medium
CVE-2023-23169
Synapsoft pdfocus 1.17 is vulnerable to local file inclusion and server-side request forgery Directory Traversal.
2023-05-10
Medium
CVE-2022-29840
Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud…
2023-05-08
Medium
CVE-2023-30019
imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.
2023-04-27
High
CVE-2023-30444
IBM Watson Machine Learning on Cloud Pak for Data 4.0 and 4.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the syst…
2023-04-24
Medium
CVE-2022-48477
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
2023-04-21
High
CVE-2023-2140
A Server-Side Request Forgery vulnerability in DELMIA Apriso Release 2017 through Release 2022 could allow an unauthenticated attacker to issue requests to arbitrary hosts on behalf of the server…
2023-04-17
Medium
CVE-2023-25504
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query i…
2023-04-15
Critical
CVE-2018-17452
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via a loopback address to…
Medium
CVE-2018-17450
An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via the Kubernetes integr…
Medium
CVE-2022-43699
OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (fou…
Medium
CVE-2022-43698
OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list.
2023-04-10
Medium
CVE-2023-1971
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in yuan1994 tpAdmin 1.3.12. Affected is the function remote of the file application\admin\controller\Uploa…
2023-04-06
Medium
CVE-2023-29010
Budibase is a low code platform for creating internal tools, workflows, and admin panels. Versions prior to 2.4.3 (07 March 2023) are vulnerable to Server-Side Request Forgery. This can lead to an at…
2023-04-05
Low
CVE-2023-28633
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case…
Medium
CVE-2023-20030
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side requ…
2023-03-31
Medium
CVE-2023-27163
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and…
Critical
CVE-2023-27162
openapi-generator up to v6.4.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/gen/clients/{language}. This vulnerability allows attackers to access network reso…
High
CVE-2023-27160
forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive…
High
CVE-2023-27159
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensiti…
2023-03-30
Medium
CVE-2022-43473
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a…
Critical
CVE-2023-1725
Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request Forgery. This issue affects Project Management System: before 4.09.31.125.
2023-03-28
High
CVE-2023-25195
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for a…
High
CVE-2023-25262
Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe Reporting Designer (Web) offers the possibility to embed sources from external locations.…
2023-03-25
Medium
CVE-2023-1634
A vulnerability was found in OTCMS 6.72. It has been classified as critical. Affected is the function UseCurl of the file /admin/info_deal.php of the component URL Parameter Handler. The manipulation…
2023-03-20
Critical
CVE-2023-27586
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a special…
2023-03-17
Medium
CVE-2023-28112
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection…
Medium
CVE-2023-28111
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) pr…
2023-03-16
Medium
CVE-2023-28155
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This…
2023-03-10
High
CVE-2023-27161
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive in…
2023-03-07
Medium
CVE-2023-25230
A Server-Side Request Forgery (SSRF) in loonflow r2.0.14 allows attackers to force the application to make arbitrary requests via manipulation of the hook_url parameter.
2023-03-06
High
CVE-2021-36396
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
2023-03-03
Medium
CVE-2023-26492
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `…
Critical
CVE-2022-46973
Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.
Medium
CVE-2023-20062
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on…
Medium
CVE-2023-20061
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on…
2023-03-01
Critical
CVE-2022-37938
Unauthenticated server side request forgery in HPE Serviceguard Manager
2023-02-26
Medium
CVE-2023-1046
A vulnerability classified as critical has been found in MuYuCMS 2.2. This affects an unknown part of the file /admin.php/update/getFile.html. The manipulation of the argument url leads to server-sid…
2023-02-20
Medium
CVE-2022-48321
Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration…
2023-02-16
Medium
CVE-2022-27234
Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access.
2023-02-14
Medium
CVE-2023-22936
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiato…
2023-02-13
Medium
CVE-2023-25162
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.…
2023-02-12
Medium
CVE-2022-45085
Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery. This issue affects Smartpower Web: before 23.01.01.
2023-02-09
Medium
CVE-2023-0574
Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte…
2023-02-01
High
CVE-2022-47872
A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the…
Medium
CVE-2022-37033
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving th…
2023-01-31
Critical
CVE-2022-47873
Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).
2023-01-30
High
CVE-2023-24623
Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
Medium
CVE-2023-24622
isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.
2023-01-27
Low
CVE-2022-4201
A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitL…
Medium
CVE-2022-4335
A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host.
Medium
CVE-2023-24060
Haven 5d15944 allows Server-Side Request Forgery (SSRF) via the feed[url]= Feeds functionality. Authenticated users with the ability to create new RSS Feeds or add RSS Feeds can supply an arbitrary h…
2023-01-26
Medium
CVE-2023-24495
A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact…
Critical
CVE-2023-24429
Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowin…
Critical
CVE-2022-46998
An issue in the website background of taocms v3.0.2 allows attackers to execute a Server-Side Request Forgery (SSRF).
2023-01-23
Critical
CVE-2023-23560
In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation.
High
CVE-2021-43449
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document.
2023-01-20
Medium
CVE-2021-37498
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the a…
Medium
CVE-2023-20002
A vulnerability in Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to bypass access controls and conduct an SSRF attack through an affected device. This vuln…
2023-01-13
High
CVE-2023-22493
RSSHub is an open source RSS feed generator. RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server…
High
CVE-2022-3841
RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (…
2023-01-12
High
CVE-2022-25026
A Server-Side Request Forgery (SSRF) in Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to gain access to sensitive resources on the internal network via a crafted HTTP request to /trufusion…
2023-01-03
Critical
CVE-2022-39039
aEnrich’s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request…
2023-01-01
Medium
CVE-2022-45213
perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL.
2022-12-31
Medium
CVE-2017-20157
A vulnerability was found in Ariadne Component Library up to 2.x. It has been classified as critical. Affected is an unknown function of the file src/url/Url.php. The manipulation leads to server-sid…
2022-12-29
High
CVE-2022-38212
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated att…
High
CVE-2022-38211
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated att…
High
CVE-2022-38203
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated att…
2022-12-28
High
CVE-2022-23544
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Sid…
2022-12-27
High
CVE-2022-45429
Some Dahua software products have a vulnerability of server-side request forgery (SSRF). An Attacker can access internal resources by concatenating links (URL) that conform to specific rules.
Medium
CVE-2022-4725
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.jav…
2022-12-26
Medium
CVE-2022-37313
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
2022-12-22
High
CVE-2022-45412
When resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*Thi…
2022-12-21
Critical
CVE-2022-47635
Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php.
2022-12-19
Medium
CVE-2022-38708
IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack by constructing URLs from user-controlled data. This could enable attackers to…
2022-12-18
High
CVE-2022-47514
An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback…
2022-12-16
Medium
CVE-2022-42343
Adobe Campaign version 7.3.1 (and earlier) and 8.3.9 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege au…
2022-12-14
Medium
CVE-2022-3590
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hos…
2022-12-13
Critical
CVE-2022-46364
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices th…
2022-12-08
Low
CVE-2022-46827
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.
2022-12-06
Medium
CVE-2022-45326
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.
2022-12-04
Critical
CVE-2022-35508
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account…
2022-11-30
High
CVE-2022-41412
An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.
2022-11-25
Critical
CVE-2022-45152
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not util…
High
CVE-2022-43984
Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an extern…
High
CVE-2022-43983
Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browser…
2022-11-22
Critical
CVE-2022-40842
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php.
2022-11-21
High
CVE-2022-44784
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, a…