Medium
CVE-2020-4786
IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send una…
Tag: Server-Side Request Forgery (SSRF)
All CVEs associated with "Server-Side Request Forgery (SSRF)". Page 19/23 • 2666 CVEs.
Subscribe CVEs: RSS for “Server-Side Request Forgery (SSRF)” · RSS (High+Critical only)
About “Server-Side Request Forgery (SSRF)”
A curated feed of “Server-Side Request Forgery (SSRF)”-related CVEs appears below. We currently track 2666 CVEs for this tag (all time). In the last 365 days, 961 were published. Average CVSS is 6.9 (all time; 6.6 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-918 - Server-Side Request Forgery (SSRF), CWE-611 - Improper Restriction of XML External Entity Reference, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
In our taxonomy this topic maps to a HIGH impact class. Common exploitation patterns for this weakness can lead to high. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2021-01-27
2021-01-26
High
CVE-2020-23776
A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacke…
2021-01-20
High
CVE-2021-1272
A vulnerability in the session validation feature of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side reque…
2021-01-15
High
CVE-2020-24641
In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive info…
2021-01-13
High
CVE-2021-21009
Adobe Campaign Classic Gold Standard 10 (and earlier), 20.3.1 (and earlier), 20.2.3 (and earlier), 20.1.3 (and earlier), 19.2.3 (and earlier) and 19.1.7 (and earlier) are affected by a server-side re…
2021-01-12
Medium
CVE-2021-23927
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
Medium
CVE-2020-24700
OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.
2021-01-11
Critical
CVE-2020-35205
Server Side Request Forgery (SSRF) in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to scan internal ports and make outbound connections via the initFile.jsp fil…
2020-12-31
Medium
CVE-2020-26291
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. I…
2020-12-30
High
CVE-2020-28735
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
Low
CVE-2020-26247
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Noko…
Medium
CVE-2020-35850
An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue.
2020-12-28
High
CVE-2020-26032
An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can u…
2020-12-26
Critical
CVE-2020-35712
Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
2020-12-16
Medium
CVE-2019-14476
AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) vulnerability in the NetCrunch server. Every user can trick the server into performing SMB requests to other systems.
2020-12-15
Medium
CVE-2020-10770
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this param…
2020-12-14
Medium
CVE-2020-17513
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
2020-12-11
Medium
CVE-2020-7790
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.
2020-12-10
Medium
CVE-2020-24444
AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerabil…
2020-12-09
Critical
CVE-2020-26831
SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An att…
2020-11-30
Medium
CVE-2020-28978
The Canto plugin 1.3.0 for WordPress contains blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/tree.php?subdoma…
Medium
CVE-2020-28977
The Canto plugin 1.3.0 for WordPress contains blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/get.php?subdomai…
Medium
CVE-2020-28976
The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?sub…
2020-11-24
Medium
CVE-2020-24815
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal ne…
2020-11-23
Critical
CVE-2020-28360
Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN rese…
2020-11-19
High
CVE-2020-7572
A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able…
High
CVE-2020-28949
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
2020-11-16
Medium
CVE-2020-27626
JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.
Medium
CVE-2020-27624
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
2020-11-13
Medium
CVE-2020-7032
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in…
2020-11-12
High
CVE-2019-17566
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vu…
2020-11-11
High
CVE-2020-7329
Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully co…
2020-11-10
High
CVE-2020-24063
The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF.
High
CVE-2020-26815
SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to targe…
Medium
CVE-2020-26811
SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL…
2020-11-09
Medium
CVE-2020-27018
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's…
2020-11-06
Medium
CVE-2020-28168
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host…
2020-11-02
High
CVE-2020-28043
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
Critical
CVE-2020-24881
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
2020-10-28
Medium
CVE-2020-24710
Gophish before 0.11.0 allows SSRF attacks.
2020-10-27
High
CVE-2020-15352
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forg…
2020-10-26
Medium
CVE-2020-7126
A remote server-side request forgery (ssrf) vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
2020-10-23
Critical
CVE-2020-25466
A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.
Medium
CVE-2020-15002
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
2020-10-21
Medium
CVE-2020-25820
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
2020-10-20
Medium
CVE-2020-6308
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the i…
High
CVE-2020-7749
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to injec…
2020-10-19
High
CVE-2020-15822
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
2020-10-17
Critical
CVE-2020-27197
TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is…
2020-10-12
High
CVE-2020-4772
An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. A remote attacker could exploit this vulnerability to expose sensitive informatio…
2020-10-10
Critical
CVE-2020-26948
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
2020-10-06
High
CVE-2020-7740
This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft…
High
CVE-2020-7739
This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack.
2020-10-01
Medium
CVE-2020-5784
Server-Side Request Forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a low privileged user to cause the application to perform HTTP GET requests to arbitrary URLs.
2020-09-30
Medium
CVE-2020-24570
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session in…
Medium
CVE-2020-15594
An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a…
2020-09-22
Medium
CVE-2020-14023
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
2020-09-21
Medium
CVE-2020-16171
An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwar…
2020-09-18
High
CVE-2020-14029
An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be…
Medium
CVE-2020-15772
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator…
2020-09-14
Medium
CVE-2020-13309
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature.
2020-09-04
Medium
CVE-2020-4632
IBM InfoSphere Metadata Asset Manager 11.7 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to su…
2020-08-31
Medium
CVE-2020-12644
OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.
2020-08-29
High
CVE-2020-24898
The Table Filter and Charts for Confluence Server app before 5.3.26 (for Atlassian Confluence) allows SSRF via the "Table from CSV" macro (URL parameter).
2020-08-28
High
CVE-2020-9298
The Spinnaker template resolution functionality is vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to send requests on behalf of Spinnaker potentially leading to sensitive…
2020-08-26
Medium
CVE-2020-24548
Ericom Access Server 9.2.0 (for AccessNow and Ericom Blaze) allows SSRF to make outbound WebSocket connection requests on arbitrary TCP ports, and provides "Cannot connect to" error messages to infor…
2020-08-24
High
CVE-2020-14044
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8 and later. A user with admin privileges could use the plugin install feature to…
2020-08-21
Medium
CVE-2020-5775
Server-Side Request Forgery in Canvas LMS 2020-07-29 allows a remote, unauthenticated attacker to cause the Canvas application to perform HTTP GET requests to arbitrary domains.
2020-08-17
Critical
CVE-2020-15152
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request…
Medium
CVE-2020-8226
A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF.
2020-08-13
Medium
CVE-2020-13286
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
2020-08-11
High
CVE-2020-14296
Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal netw…
2020-08-10
Medium
CVE-2020-13295
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
2020-08-09
Medium
CVE-2020-16248
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerab…
2020-08-08
High
CVE-2020-15823
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
Medium
CVE-2020-15819
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
2020-07-28
High
CVE-2020-13970
Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests…
2020-07-21
High
CVE-2020-15879
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8,…
2020-07-20
High
CVE-2020-8205
The uppy npm package < 1.13.2 and < 2.0.0-alpha.5 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interac…
2020-07-15
Medium
CVE-2020-13788
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
2020-07-14
Medium
CVE-2020-6282
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.4…
2020-07-09
Medium
CVE-2020-14170
Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vuln…
2020-07-01
Critical
CVE-2020-14056
Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files…
Medium
CVE-2019-20408
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vul…
2020-06-24
Critical
CVE-2020-13484
Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter, if the destination URL hosts an HTML document containing '<meta n…
2020-06-19
Medium
CVE-2019-20872
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
2020-06-16
Medium
CVE-2020-8544
OX App Suite through 7.10.3 allows SSRF.
2020-06-15
High
CVE-2020-13650
An issue was discovered in DigDash 2018R2 before p20200210 and 2019R1 before p20200210. The login page is vulnerable to Server-Side Request Forgery (SSRF) that allows use of the application as a prox…
Medium
CVE-2020-9427
OX Guard 2.10.3 and earlier allows SSRF.
2020-06-12
Medium
CVE-2020-11980
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there…
High
CVE-2020-9645
Adobe Experience Manager versions 6.5 and earlier have a blind server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.
High
CVE-2020-9643
Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.
2020-06-11
High
CVE-2020-12725
Havoc Research discovered an authenticated Server-Side Request Forgery (SSRF) via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is po…
Critical
CVE-2020-4101
"HCL Digital Experience is susceptible to Server Side Request Forgery."
2020-06-10
Critical
CVE-2020-6275
SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path…
2020-06-08
High
CVE-2020-4529
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially le…
2020-06-05
Medium
CVE-2020-8555
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows cert…
2020-06-03
High
CVE-2020-13379
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL a…
2020-06-01
High
CVE-2014-8943
Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter.
2020-05-20
Critical
CVE-2020-13226
WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.
2020-05-14
Medium
CVE-2020-4365
IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain s…
2020-05-05
High
CVE-2020-8830
CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen.
High
CVE-2020-7983
A CSRF issue in login.asp on Ruckus R500 3.4.2.0.384 devices allows remote attackers to access the panel or conduct SSRF attacks.
2020-05-04
High
CVE-2020-12642
An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.
2020-04-28
Medium
CVE-2020-5562
Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows a remote attacker with an administrative privilege to issue arbitrary HTTP requests to other web servers via V-…
2020-04-17
Medium
CVE-2020-11887
svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an SVG document.
High
CVE-2020-11885
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploade…
2020-04-15
Medium
CVE-2020-4294
IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to n…
2020-04-08
Critical
CVE-2020-10980
GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
2020-04-02
Medium
CVE-2020-11453
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and,…
Medium
CVE-2020-11452
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possi…
High
CVE-2020-11451
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitabl…
2020-03-27
Critical
CVE-2020-10956
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
2020-03-25
High
CVE-2020-3769
Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.
Medium
CVE-2020-10791
app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connect…
2020-03-20
Critical
CVE-2019-11574
An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. There is SSRF related to Subs-Package.php and Subs.php because user-supplied data is used directly in curl calls.
Medium
CVE-2020-8138
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar U…
Critical
CVE-2020-8135
The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal system…
High
CVE-2020-8134
Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external network or otherwise interact with internal systems.
2020-03-13
Critical
CVE-2020-10077
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.