Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-918
Total 774 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-20348 1 Ibm 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more 2021-06-07 5.5 MEDIUM 5.4 MEDIUM
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-ForceID: 194597.
CVE-2021-20346 1 Ibm 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more 2021-06-07 5.5 MEDIUM 5.4 MEDIUM
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194595.
CVE-2021-20347 1 Ibm 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more 2021-06-07 5.5 MEDIUM 5.4 MEDIUM
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194596.
CVE-2021-20345 1 Ibm 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more 2021-06-07 5.5 MEDIUM 5.4 MEDIUM
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194594.
CVE-2021-20343 1 Ibm 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more 2021-06-07 5.5 MEDIUM 5.4 MEDIUM
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194593.
CVE-2020-14327 1 Redhat 1 Ansible Tower 2021-06-07 2.1 LOW 5.5 MEDIUM
A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of additional internal services by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response.
CVE-2020-14328 1 Redhat 1 Ansible Tower 2021-06-07 2.1 LOW 3.3 LOW
A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal services or exposing additional internal services and more particularly retrieving full details in case of error. The highest threat from this vulnerability is to data confidentiality.
CVE-2021-30108 1 Feehi 1 Feehi Cms 2021-05-28 6.4 MEDIUM 9.1 CRITICAL
Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. When the user modifies the HTTP Referer header to any url, the server can make a request to it.
CVE-2017-17674 1 Bmc 1 Remedy Mid-tier 2021-05-25 7.5 HIGH 9.8 CRITICAL
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).
CVE-2021-33511 1 Plone 1 Plone 2021-05-24 5.0 MEDIUM 7.5 HIGH
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
CVE-2021-33510 1 Plone 1 Plone 2021-05-24 4.0 MEDIUM 4.3 MEDIUM
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.
CVE-2021-20535 1 Ibm 1 Jazz Reporting Service 2021-05-20 5.5 MEDIUM 5.4 MEDIUM
IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198834.
CVE-2021-31828 1 Amazon 1 Open Distro 2021-05-18 5.5 MEDIUM 7.1 HIGH
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
CVE-2021-31910 1 Jetbrains 1 Teamcity 2021-05-17 5.0 MEDIUM 7.5 HIGH
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
CVE-2021-29490 1 Jellyfin 1 Jellyfin 2021-05-13 5.0 MEDIUM 5.8 MEDIUM
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.
CVE-2021-29145 1 Arubanetworks 1 Clearpass 2021-05-10 7.5 HIGH 9.8 CRITICAL
A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.
CVE-2021-31779 1 Yoast 1 Yoast Seo 2021-05-07 5.5 MEDIUM 6.4 MEDIUM
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account.
CVE-2020-28943 1 Open-xchange 1 Open-xchange Appsuite 2021-05-07 4.0 MEDIUM 6.5 MEDIUM
OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
CVE-2020-22002 1 Inim 12 Smartliving 10100l, Smartliving 10100l Firmware, Smartliving 10100lg3 and 9 more 2021-05-05 5.0 MEDIUM 7.5 HIGH
An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
CVE-2020-15152 1 Ftp-srv Project 1 Ftp-srv 2021-05-05 5.0 MEDIUM 9.1 CRITICAL
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.