Total
1052 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-29145 | 1 Arubanetworks | 1 Clearpass | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
CVE-2020-21788 | 1 Crmeb | 1 Crmeb | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php. | |||||
CVE-2021-22986 | 1 F5 | 15 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 12 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
CVE-2021-20345 | 1 Ibm | 9 Collaborative Lifecycle Management, Engineering Lifecycle Management, Engineering Lifecycle Optimization - Engineering Insights and 6 more | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 194594. | |||||
CVE-2020-24148 | 1 Mooveagency | 1 Import Xml And Rss Feeds | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. | |||||
CVE-2021-22175 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled | |||||
CVE-2021-34811 | 1 Synology | 1 Download Station | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
CVE-2021-22214 | 1 Gitlab | 1 Gitlab | 2023-12-10 | 4.3 MEDIUM | 8.6 HIGH |
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited | |||||
CVE-2021-25640 | 1 Apache | 1 Dubbo | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. | |||||
CVE-2021-32682 | 1 Std42 | 1 Elfinder | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication. | |||||
CVE-2020-24142 | 1 Ninjateam | 1 Video Downloader For Tiktok | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Server-side request forgery in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the njt-tk-download-video parameter. It can help identify open ports, local network hosts and execute command on services | |||||
CVE-2020-24140 | 1 Wcms | 1 Wcms | 2023-12-10 | 7.5 HIGH | 8.3 HIGH |
Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end server of a vulnerable web application via the pagename parameter to wex/html.php. It can help identify open ports, local network hosts and execute command on local services. | |||||
CVE-2020-20341 | 1 Yzmcms | 1 Yzmcms | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
YzmCMS v5.5 contains a server-side request forgery (SSRF) in the grab_image() function. | |||||
CVE-2021-39195 | 1 Misskey | 1 Misskey | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running. | |||||
CVE-2021-26072 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. | |||||
CVE-2021-31531 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). | |||||
CVE-2021-24150 | 1 Likebtn-like-button Project | 1 Likebtn-like-button | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The LikeBtn WordPress Like Button Rating ? LikeBtn WordPress plugin before 2.6.32 was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF). | |||||
CVE-2021-31779 | 1 Yoast | 1 Yoast Seo | 2023-12-10 | 5.5 MEDIUM | 6.4 MEDIUM |
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account. | |||||
CVE-2020-14327 | 1 Redhat | 1 Ansible Tower | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of additional internal services by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response. | |||||
CVE-2021-32698 | 1 Elabftw | 1 Elabftw | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. Issue has been patched in eLabFTW 4.0.0. |