Total
774 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-42890 | 2 Apache, Debian | 2 Batik, Debian Linux | 2022-12-07 | N/A | 7.5 HIGH |
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16. | |||||
CVE-2022-35508 | 1 Proxmox | 3 Proxmox Mail Gateway, Pve Http Server, Virtual Environment | 2022-12-07 | N/A | 9.8 CRITICAL |
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions and contain an authkey value. This is fixed in pve-http-server 4.1-3. | |||||
CVE-2019-17566 | 2 Apache, Oracle | 18 Batik, Api Gateway, Business Intelligence and 15 more | 2022-12-06 | 5.0 MEDIUM | 7.5 HIGH |
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | |||||
CVE-2020-14044 | 1 Codiad | 1 Codiad | 2022-12-06 | 6.5 MEDIUM | 7.2 HIGH |
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8 and later. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
CVE-2022-41412 | 1 Perfsonar | 1 Perfsonar | 2022-12-02 | N/A | 8.6 HIGH |
An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks. | |||||
CVE-2019-6837 | 1 Schneider-electric | 8 Meg6260-0410, Meg6260-0410 Firmware, Meg6260-0415 and 5 more | 2022-11-30 | 6.4 MEDIUM | 9.1 CRITICAL |
A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could cause server configuration data to be exposed when an attacker modifies a URL. | |||||
CVE-2022-40842 | 1 Ndk-design | 1 Ndkadvancedcustomizationfields | 2022-11-23 | N/A | 9.1 CRITICAL |
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php. | |||||
CVE-2022-4096 | 1 Appsmith | 1 Appsmith | 2022-11-23 | N/A | 6.5 MEDIUM |
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2. | |||||
CVE-2022-42894 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2022-11-21 | N/A | 7.5 HIGH |
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM credentials as well as local service enumeration. | |||||
CVE-2022-43183 | 1 Xuxueli | 1 Xxl-job | 2022-11-20 | N/A | 8.8 HIGH |
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. | |||||
CVE-2022-41609 | 1 Wordplus | 1 Better Messages | 2022-11-20 | N/A | 8.8 HIGH |
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress. | |||||
CVE-2022-39383 | 1 Linuxfoundation | 1 Kubevela | 2022-11-18 | N/A | 6.5 MEDIUM |
KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue. | |||||
CVE-2022-43140 | 1 Keking | 1 Kkfileview | 2022-11-18 | N/A | 7.5 HIGH |
kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. This vulnerability allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the url parameter. | |||||
CVE-2022-41906 | 1 Amazon | 1 Opensearch Notifications | 2022-11-16 | N/A | 8.7 HIGH |
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin 2.2.0 and below could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds. | |||||
CVE-2022-2756 | 1 Kavitareader | 1 Kavita | 2022-11-14 | N/A | 6.5 MEDIUM |
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. | |||||
CVE-2020-10770 | 1 Redhat | 1 Keycloak | 2022-11-09 | 5.0 MEDIUM | 5.3 MEDIUM |
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | |||||
CVE-2022-42494 | 1 Aioseo | 1 All In One Seo | 2022-11-09 | N/A | 6.5 MEDIUM |
Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress. | |||||
CVE-2021-32682 | 1 Std42 | 1 Elfinder | 2022-11-08 | 7.5 HIGH | 9.8 CRITICAL |
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication. | |||||
CVE-2019-17670 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2022-11-07 | 7.5 HIGH | 9.8 CRITICAL |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. | |||||
CVE-2022-20951 | 1 Cisco | 1 Broadworks Messaging Server | 2022-11-07 | N/A | 6.5 MEDIUM |
A vulnerability in the web-based management interface of Cisco BroadWorks CommPilot application could allow an authenticated, remote attacker to perform a server-side request forgery (SSRF) attack on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to obtain confidential information from the BroadWorks server and other device on the network. {{value}} ["%7b%7bvalue%7d%7d"])}]] |