Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-24028 | 2024-11-07 | 5.9 Medium | ||
| Server Side Request Forgery (SSRF) vulnerability in Likeshop before 2.5.7 allows attackers to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo. | ||||
| CVE-2024-51358 | 1 Linuxserver | 1 Heimdall Application Dashboard | 2024-11-07 | 9.8 Critical |
| An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. | ||||
| CVE-2024-0628 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-07 | 3.8 Low |
| The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2023-31456 | 2024-11-07 | 5.4 Medium | ||
| There is an SSRF vulnerability in the Fluid Topics platform that affects versions prior to 4.3, where the server can be forced to make arbitrary requests to internal and external resources by an authenticated user. | ||||
| CVE-2024-33250 | 1 Ossrs | 1 Simple Realtime Server | 2024-11-07 | 7.2 High |
| An issue in Open-Source Technology Committee SRS real-time video server RS/4.0.268(Leo) and SRS/4.0.195(Leo) allows a remote attacker to execute arbitrary code via a crafted request. | ||||
| CVE-2024-51665 | 1 Wpthemespace | 1 Magical Addons For Elementor | 2024-11-06 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Noor alam Magical Addons For Elementor allows Server Side Request Forgery.This issue affects Magical Addons For Elementor: from n/a through 1.2.1. | ||||
| CVE-2024-51408 | 1 Appsmith | 1 Appsmith | 2024-11-06 | 8.5 High |
| AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials. | ||||
| CVE-2024-48052 | 1 Gradio Project | 1 Gradio | 2024-11-06 | 6.5 Medium |
| In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information. | ||||
| CVE-2024-1233 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jbosseapxp | 2024-11-06 | 7.3 High |
| A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability. | ||||
| CVE-2024-39637 | 2024-11-04 | 5.4 Medium | ||
| Server Side Request Forgery (SSRF) vulnerability in Pixelcurve Edubin edubin.This issue affects Edubin: from n/a through 9.2.0. | ||||
| CVE-2021-42079 | 1 Osnexus | 1 Quantastor | 2024-11-04 | 6.2 Medium |
| An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. | ||||
| CVE-2024-48360 | 1 Qualitor | 1 Qualitor | 2024-11-01 | 7.5 High |
| Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php. | ||||
| CVE-2024-20332 | 2024-11-01 | 5.5 Medium | ||
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. To successfully exploit this vulnerability, the attacker would need valid Super Admin credentials. | ||||
| CVE-2024-48346 | 1 Xtreme1-io | 1 Xtreme1 | 2024-11-01 | 6.1 Medium |
| xtreme1 <= v0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests to internal or external systems. | ||||
| CVE-2024-51242 | 1 Eladmin | 1 Eladmin | 2024-11-01 | 6.5 Medium |
| A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF. | ||||
| CVE-2024-45518 | 1 Zimbra | 1 Collaboration | 2024-10-30 | 7.5 High |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE). | ||||
| CVE-2024-48232 | 1 Mipjz Project | 1 Mipjz | 2024-10-30 | 4.9 Medium |
| An issue was found in mipjz 5.0.5. In the mipPost method of \app\setting\controller\ApiAdminTool.php, the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in a Server-side request forgery (SSRF) vulnerability that can read server files. | ||||
| CVE-2024-48178 | 1 Newbee-mall Project | 1 Newbee-mall | 2024-10-30 | 8.1 High |
| newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter. | ||||
| CVE-2024-48107 | 2024-10-30 | 6.5 Medium | ||
| SparkShop <=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server. | ||||
| CVE-2023-22936 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 6.3 Medium |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without the presence of an additional vulnerability within the environment. | ||||