Total
774 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20348 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-ForceID: 194597. | |||||
| CVE-2021-20346 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194595. | |||||
| CVE-2021-20347 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194596. | |||||
| CVE-2021-20345 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194594. | |||||
| CVE-2021-20343 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2021-06-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194593. | |||||
| CVE-2020-14327 | 1 Redhat | 1 Ansible Tower | 2021-06-07 | 2.1 LOW | 5.5 MEDIUM |
| A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of additional internal services by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response. | |||||
| CVE-2020-14328 | 1 Redhat | 1 Ansible Tower | 2021-06-07 | 2.1 LOW | 3.3 LOW |
| A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal services or exposing additional internal services and more particularly retrieving full details in case of error. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-30108 | 1 Feehi | 1 Feehi Cms | 2021-05-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. When the user modifies the HTTP Referer header to any url, the server can make a request to it. | |||||
| CVE-2017-17674 | 1 Bmc | 1 Remedy Mid-tier | 2021-05-25 | 7.5 HIGH | 9.8 CRITICAL |
| BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE). | |||||
| CVE-2021-33511 | 1 Plone | 1 Plone | 2021-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. | |||||
| CVE-2021-33510 | 1 Plone | 1 Plone | 2021-05-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | |||||
| CVE-2021-20535 | 1 Ibm | 1 Jazz Reporting Service | 2021-05-20 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198834. | |||||
| CVE-2021-31828 | 1 Amazon | 1 Open Distro | 2021-05-18 | 5.5 MEDIUM | 7.1 HIGH |
| An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope. | |||||
| CVE-2021-31910 | 1 Jetbrains | 1 Teamcity | 2021-05-17 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible. | |||||
| CVE-2021-29490 | 1 Jellyfin | 1 Jellyfin | 2021-05-13 | 5.0 MEDIUM | 5.8 MEDIUM |
| Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs. | |||||
| CVE-2021-29145 | 1 Arubanetworks | 1 Clearpass | 2021-05-10 | 7.5 HIGH | 9.8 CRITICAL |
| A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-31779 | 1 Yoast | 1 Yoast Seo | 2021-05-07 | 5.5 MEDIUM | 6.4 MEDIUM |
| The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account. | |||||
| CVE-2020-28943 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-05-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| OX App Suite 7.10.4 and earlier allows SSRF via a snippet. | |||||
| CVE-2020-22002 | 1 Inim | 12 Smartliving 10100l, Smartliving 10100l Firmware, Smartliving 10100lg3 and 9 more | 2021-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. | |||||
| CVE-2020-15152 | 1 Ftp-srv Project | 1 Ftp-srv | 2021-05-05 | 5.0 MEDIUM | 9.1 CRITICAL |
| ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory. | |||||