Vulnerabilities (CVE)

Filtered by CWE-918
Total 625 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41403 1 Flatcore 1 Flatcore-cms 2022-06-24 7.5 HIGH 9.8 CRITICAL
flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities.
CVE-2022-23080 2022-06-23 N/A 5.0 MEDIUM
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.
CVE-2022-29612 1 Sap 2 Host Agent, Netweaver Abap 2022-06-22 4.0 MEDIUM 4.3 MEDIUM
SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application.
CVE-2022-27780 1 Haxx 1 Curl 2022-06-22 5.0 MEDIUM 7.5 HIGH
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
CVE-2022-23071 2022-06-21 N/A N/A
In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.
CVE-2022-2062 1 Xgenecloud 1 Nocodb 2022-06-17 5.0 MEDIUM 7.5 HIGH
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nocodb/nocodb prior to 0.91.7+.
CVE-2022-24969 1 Apache 1 Dubbo 2022-06-15 5.8 MEDIUM 6.1 MEDIUM
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
CVE-2022-31386 1 Nbnbk Project 1 Nbnbk 2022-06-15 6.4 MEDIUM 9.1 CRITICAL
A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter.
CVE-2022-31390 1 Jizhicms 1 Jizhicms 2022-06-15 6.4 MEDIUM 9.1 CRITICAL
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php.
CVE-2022-31830 1 Baidu 1 Kity Minder 2022-06-15 6.4 MEDIUM 9.1 CRITICAL
Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php.
CVE-2022-31827 1 Monstaftp 1 Monstaftp 2022-06-15 6.4 MEDIUM 9.1 CRITICAL
MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the function performFetchRequest at HTTPFetcher.php.
CVE-2022-31393 1 Jizhicms 1 Jizhicms 2022-06-15 6.4 MEDIUM 9.1 CRITICAL
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php.
CVE-2021-40438 6 Apache, Debian, F5 and 3 more 9 Http Server, Debian Linux, F5os and 6 more 2022-06-14 6.8 MEDIUM 9.0 CRITICAL
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2018-1000067 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 5.0 MEDIUM 5.3 MEDIUM
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
CVE-2019-0227 2 Apache, Oracle 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management Framework and 34 more 2022-06-13 5.4 MEDIUM 7.5 HIGH
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CVE-2021-40186 1 Dnnsoftware 1 Dotnetnuke 2022-06-09 5.0 MEDIUM 7.5 HIGH
The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In the most common scenario, the attacker exploits SSRF vulnerabilities to attack systems behind the firewall and access sensitive information from Cloud Provider metadata services.
CVE-2022-1285 1 Gogs 1 Gogs 2022-06-08 4.3 MEDIUM 6.5 MEDIUM
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
CVE-2022-29188 1 Stripe 1 Smokescreen 2022-06-07 6.4 MEDIUM 6.5 MEDIUM
Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). This only impacted the HTTP proxy functionality of Smokescreen. HTTPS requests were not impacted. Smokescreen version 0.0.4 contains a patch for this issue.
CVE-2022-1815 1 Diagrams 1 Drawio 2022-06-07 5.0 MEDIUM 7.5 HIGH
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
CVE-2022-1784 1 Diagrams 1 Drawio 2022-06-07 5.0 MEDIUM 7.5 HIGH
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.