Total
1671 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2014-8943 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 8.8 High |
| Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter. | ||||
| CVE-2014-3990 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A |
| The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request. | ||||
| CVE-2013-4864 | 1 Micasaverde | 2 Veralite, Veralite Firmware | 2024-11-21 | 9.8 Critical |
| MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue. | ||||
| CVE-2007-6758 | 1 Sencha | 1 Ext Js | 2024-11-21 | 7.5 High |
| Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0. | ||||
| CVE-2024-20531 | 1 Cisco | 1 Identity Services Engine | 2024-11-20 | 5.5 Medium |
| A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system or conduct an SSRF attack through the affected device. | ||||
| CVE-2021-3742 | 1 Chatwoot | 1 Chatwoot | 2024-11-19 | 7.9 High |
| A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a new tab, it can trigger the SSRF, potentially leading to host redirection. | ||||
| CVE-2024-49521 | 1 Adobe | 2 Commerce, Magento | 2024-11-18 | 7.7 High |
| Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. A low privileged attacker could exploit this vulnerability to send crafted requests from the vulnerable server to internal systems, which could result in the bypassing of security measures such as firewalls. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-47830 | 1 Plane | 1 Plane | 2024-11-12 | 9.3 Critical |
| Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is fixed in 0.23.0. | ||||
| CVE-2024-51785 | 2024-11-12 | 4.4 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in I Thirteen Web Solution Responsive Filterable Portfolio allows Server Side Request Forgery.This issue affects Responsive Filterable Portfolio: from n/a through 1.0.22. | ||||
| CVE-2024-10814 | 2024-11-12 | 6.4 Medium | ||
| The Code Embed plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5 via the ce_get_file() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-51740 | 1 Combodo | 1 Itop | 2024-11-08 | 4.3 Medium |
| Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-47190 | 2024-11-08 | 2.7 Low | ||
| Northern.tech Hosted Mender before 2024.07.11 allows SSRF. | ||||
| CVE-2024-46947 | 1 Northern.tech | 1 Mender | 2024-11-08 | 6.5 Medium |
| Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF. | ||||
| CVE-2024-51358 | 1 Linuxserver | 1 Heimdall Application Dashboard | 2024-11-07 | 9.8 Critical |
| An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. | ||||
| CVE-2024-51665 | 1 Wpthemespace | 1 Magical Addons For Elementor | 2024-11-06 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Noor alam Magical Addons For Elementor allows Server Side Request Forgery.This issue affects Magical Addons For Elementor: from n/a through 1.2.1. | ||||
| CVE-2024-51408 | 1 Appsmith | 1 Appsmith | 2024-11-06 | 8.5 High |
| AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials. | ||||
| CVE-2024-39637 | 1 Wordpress | 1 Wordpress | 2024-11-04 | 5.4 Medium |
| Server Side Request Forgery (SSRF) vulnerability in Pixelcurve Edubin edubin.This issue affects Edubin: from n/a through 9.2.0. | ||||
| CVE-2024-48346 | 1 Xtreme1-io | 1 Xtreme1 | 2024-11-01 | 6.1 Medium |
| xtreme1 <= v0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests to internal or external systems. | ||||
| CVE-2024-45518 | 1 Zimbra | 1 Collaboration | 2024-10-30 | 7.5 High |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE). | ||||
| CVE-2024-48450 | 1 Hcengineering | 1 Huly | 2024-10-29 | 6.5 Medium |
| An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group. | ||||