Total
1047 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41809 | 1 M-files | 1 M-files Server | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities. | |||||
| CVE-2021-37223 | 1 Nagios | 1 Nagios Xi | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files. | |||||
| CVE-2021-22033 | 1 Vmware | 3 Cloud Foundation, Vrealize Operations, Vrealize Suite Lifecycle Manager | 2023-12-10 | 4.0 MEDIUM | 2.7 LOW |
| Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2021-43296 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. | |||||
| CVE-2021-43562 | 1 Pixxio | 1 Pixx.io | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The extension fails to restrict the image download to the configured pixx.io DAM URL, resulting in SSRF. As a result, an attacker can download various content from a remote location and save it to a user-controlled filename, which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit this. | |||||
| CVE-2022-0132 | 1 Framasoft | 1 Peertube | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| peertube is vulnerable to Server-Side Request Forgery (SSRF) | |||||
| CVE-2020-21649 | 1 Myucms Project | 1 Myucms | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
| Myucms v2.2.1 contains a server-side request forgery (SSRF) in the component \controller\index.php, which can be exploited via the sql() method. | |||||
| CVE-2022-0339 | 1 Calibre-web Project | 1 Calibre-web | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. | |||||
| CVE-2021-43780 | 1 Redash | 1 Redash | 2023-12-10 | 6.0 MEDIUM | 8.8 HIGH |
| Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables. | |||||
| CVE-2021-42637 | 1 Printerlogic | 1 Web Stack | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use user-controlled input to craft a URL, resulting in a Server Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2021-40537 | 1 Owncloud | 1 User Ldap | 2023-12-10 | 4.0 MEDIUM | 2.7 LOW |
| Server Side Request Forgery (SSRF) vulnerability exists in owncloud/user_ldap < 0.15.4 in the settings of the user_ldap app. Administration role is necessary for exploitation. | |||||
| CVE-2021-39894 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. | |||||
| CVE-2021-34425 | 5 Apple, Google, Linux and 2 more | 6 Iphone Os, Macos, Android and 3 more | 2023-12-10 | 4.0 MEDIUM | 6.1 MEDIUM |
| The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat\'s "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly. | |||||
| CVE-2021-29738 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM InfoSphere Data Flow Designer (IBM InfoSphere Information Server 11.7 ) is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 201302. | |||||
| CVE-2021-36349 | 1 Dell | 1 Emc Data Protection Central | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowing port scanning of external hosts. | |||||
| CVE-2021-22056 | 2 Linux, Vmware | 4 Linux Kernel, Identity Manager, Vrealize Automation and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response. | |||||
| CVE-2020-21653 | 1 Myucms Project | 1 Myucms | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| Myucms v2.2.1 contains a server-side request forgery (SSRF) in the component \controller\index.php, which can be exploited via the sj() method. | |||||
| CVE-2021-39339 | 1 Telefication | 1 Telefication | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0. | |||||
| CVE-2021-25972 | 1 Tuzitio | 1 Camaleon Cms | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server. | |||||
| CVE-2021-37104 | 1 Huawei | 2 P40, P40 Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do. | |||||