Total
1279 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19999 | 1 Halo | 1 Halo | 2024-08-05 | 7.2 High |
| Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration. | ||||
| CVE-2019-19835 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2024-08-05 | 7.5 High |
| SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI. | ||||
| CVE-2019-19261 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 8.8 High |
| GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. | ||||
| CVE-2019-18846 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-08-05 | 5.0 Medium |
| OX App Suite through 7.10.2 allows SSRF. | ||||
| CVE-2019-18394 | 1 Igniterealtime | 1 Openfire | 2024-08-05 | 9.8 Critical |
| A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. | ||||
| CVE-2019-18379 | 1 Symantec | 1 Messaging Gateway | 2024-08-05 | 7.3 High |
| Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a server-side request forgery (SSRF) exploit, which is a type of issue that can let an attacker send crafted requests from the backend server of a vulnerable web application or access services available through the loopback interface. | ||||
| CVE-2019-18355 | 1 Thycotic | 1 Secret Server | 2024-08-05 | 9.8 Critical |
| An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. | ||||
| CVE-2019-17670 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-08-05 | 9.8 Critical |
| WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. | ||||
| CVE-2019-17669 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-08-05 | 9.8 Critical |
| WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. | ||||
| CVE-2019-17566 | 3 Apache, Oracle, Redhat | 21 Batik, Api Gateway, Business Intelligence and 18 more | 2024-08-05 | 7.5 High |
| Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | ||||
| CVE-2019-17400 | 2 Redhat, Universal Office Converter Project | 2 Enterprise Linux, Universal Office Converter | 2024-08-05 | 7.5 High |
| The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion. | ||||
| CVE-2019-16948 | 1 Enghouse | 1 Web Chat | 2024-08-05 | 9.8 Critical |
| An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see on the product's host). The response from open ports is different than from closed ports. The product does not allow one to change the protocol: anything except http(s) will throw an error; however, it is the type of error that allows one to determine if a port is open or not. | ||||
| CVE-2019-16932 | 1 Themeisle | 1 Visualizer | 2024-08-05 | 10.0 Critical |
| A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data. | ||||
| CVE-2019-15731 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 5.3 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. | ||||
| CVE-2019-15730 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1. The Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server. | ||||
| CVE-2019-15728 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition 10.1 through 12.2.1. Protections against SSRF attacks on the Kubernetes integration are insufficient, which could have allowed an attacker to request any local network resource accessible from the GitLab server. | ||||
| CVE-2019-15494 | 1 It-novum | 1 Openitcockpit | 2024-08-05 | N/A |
| openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. | ||||
| CVE-2019-15164 | 1 Tcpdump | 1 Libpcap | 2024-08-05 | 5.3 Medium |
| rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source. | ||||
| CVE-2019-15033 | 1 Pydio | 1 Pydio | 2024-08-05 | 7.7 High |
| Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring. | ||||
| CVE-2019-15021 | 1 Zingbox | 1 Inspector | 2024-08-05 | 5.3 Medium |
| A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network. | ||||