Total
774 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28155 | 1 Request Project | 1 Request | 2023-03-22 | N/A | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-27271 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-03-21 | N/A | 7.5 HIGH |
| In SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own admintools, leading to a high impact on availability. | |||||
| CVE-2023-26459 | 1 Sap | 1 Netweaver Application Server Abap | 2023-03-21 | N/A | 7.4 HIGH |
| Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability. | |||||
| CVE-2023-27586 | 2023-03-21 | N/A | N/A | ||
| CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default. | |||||
| CVE-2023-27896 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-03-20 | N/A | 7.5 HIGH |
| In SAP BusinessObjects Business Intelligence Platform - version 420, 430, an attacker can control a malicious BOE server, forcing the application server to connect to its own CMS, leading to a high impact on availability. | |||||
| CVE-2023-28111 | 2023-03-19 | N/A | N/A | ||
| Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2023-28112 | 2023-03-19 | N/A | N/A | ||
| Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2023-27161 | 1 Jellyfin | 1 Jellyfin | 2023-03-15 | N/A | 7.5 HIGH |
| Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request. | |||||
| CVE-2023-25230 | 1 Loonflow Project | 1 Loonflow | 2023-03-14 | N/A | 4.9 MEDIUM |
| loonflow r2.0.14 is vulnerable to server-side request forgery (SSRF). | |||||
| CVE-2021-36396 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 7.5 HIGH |
| In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. | |||||
| CVE-2022-37938 | 1 Hpe | 1 Serviceguard For Linux | 2023-03-10 | N/A | 9.8 CRITICAL |
| Unauthenticated server side request forgery in HPE Serviceguard Manager | |||||
| CVE-2023-26492 | 1 Monospace | 1 Directus | 2023-03-10 | N/A | 7.5 HIGH |
| Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. | |||||
| CVE-2023-20062 | 1 Cisco | 4 Packaged Contact Center Enterprise, Unified Contact Center Enterprise, Unified Contact Center Express and 1 more | 2023-03-10 | N/A | 4.3 MEDIUM |
| Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities. | |||||
| CVE-2022-46973 | 1 Anji-plus | 1 Report | 2023-03-10 | N/A | 9.8 CRITICAL |
| Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2021-21342 | 4 Debian, Fedoraproject, Oracle and 1 more | 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more | 2023-03-09 | 5.8 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2023-22493 | 1 Rsshub | 1 Rsshub | 2023-03-07 | N/A | 7.5 HIGH |
| RSSHub is an open source RSS feed generator. RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. An attacker could also use this vulnerability to send requests to internal or any other servers or resources on the network, potentially gain access to sensitive information that would not normally be accessible and amplifying the impact of the attack. The patch for this issue can be found in commit a66cbcf. | |||||
| CVE-2022-27234 | 1 Intel | 1 Computer Vision Annotation Tool | 2023-03-06 | N/A | 6.5 MEDIUM |
| Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2019-7616 | 1 Elastic | 1 Kibana | 2023-03-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. | |||||
| CVE-2023-1046 | 1 Muyucms | 1 Muyucms | 2023-03-02 | N/A | 8.8 HIGH |
| A vulnerability classified as critical has been found in MuYuCMS 2.2. This affects an unknown part of the file /admin.php/update/getFile.html. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221805 was assigned to this vulnerability. | |||||
| CVE-2022-48321 | 1 Tribe29 | 1 Checkmk | 2023-03-02 | N/A | 7.8 HIGH |
| Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API. | |||||