Total
1279 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-27375 | 1 Drtrustusa | 2 Icheck Connect Bp Monitor Bp Testing 118, Icheck Connect Bp Monitor Bp Testing 118 Firmware | 2024-08-04 | 6.5 Medium |
| Dr Trust USA iCheck Connect BP Monitor BP Testing 118 version 1.2.1 is vulnerable to Transmitting Write Requests and Chars. | ||||
| CVE-2020-27018 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2024-08-04 | 5.5 Medium |
| Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's web server and grant access to web resources or parts of local files. An attacker must already have obtained authenticated privileges on the product to exploit this vulnerability. | ||||
| CVE-2020-26948 | 1 Emby | 1 Emby | 2024-08-04 | 9.8 Critical |
| Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter. | ||||
| CVE-2020-26815 | 1 Sap | 1 Fiori Launchpad \(news Tile Application\) | 2024-08-04 | 8.6 High |
| SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network to retrieve sensitive / confidential resources which are otherwise restricted for internal usage only, resulting in a Server-Side Request Forgery vulnerability. | ||||
| CVE-2020-26811 | 1 Sap | 1 Commerce Cloud \(accelerator Payment Mock\) | 2024-08-04 | 5.3 Medium |
| SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability. | ||||
| CVE-2020-26258 | 4 Debian, Fedoraproject, Redhat and 1 more | 9 Debian Linux, Fedora, Camel Quarkus and 6 more | 2024-08-04 | 7.7 High |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories. | ||||
| CVE-2020-26032 | 1 Zammad | 1 Zammad | 2024-08-04 | 7.5 High |
| An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. | ||||
| CVE-2020-25820 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 6.5 Medium |
| BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | ||||
| CVE-2020-25466 | 1 Crmeb | 1 Crmeb | 2024-08-04 | 9.8 Critical |
| A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code. | ||||
| CVE-2020-25353 | 1 Rconfig | 1 Rconfig | 2024-08-04 | 6.5 Medium |
| A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. | ||||
| CVE-2020-24881 | 1 Osticket | 1 Osticket | 2024-08-04 | 9.8 Critical |
| SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. | ||||
| CVE-2020-24898 | 1 Stiltsoft | 1 Table Filter And Charts For Confluence Server | 2024-08-04 | 7.6 High |
| The Table Filter and Charts for Confluence Server app before 5.3.26 (for Atlassian Confluence) allows SSRF via the "Table from CSV" macro (URL parameter). | ||||
| CVE-2020-24815 | 1 Microstrategy | 1 Microstrategy | 2024-08-04 | 6.5 Medium |
| A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020. | ||||
| CVE-2020-24710 | 1 Getgophish | 1 Gophish | 2024-08-04 | 5.3 Medium |
| Gophish before 0.11.0 allows SSRF attacks. | ||||
| CVE-2020-24700 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-08-04 | 5.4 Medium |
| OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring. | ||||
| CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2024-08-04 | 7.5 High |
| In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | ||||
| CVE-2020-24570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-08-04 | 6.5 Medium |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link. | ||||
| CVE-2020-23622 | 1 Cling Project | 1 Cling | 2024-08-04 | 7.5 High |
| An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header | ||||
| CVE-2020-24548 | 1 Ericom | 1 Access Server | 2024-08-04 | 5.3 Medium |
| Ericom Access Server 9.2.0 (for AccessNow and Ericom Blaze) allows SSRF to make outbound WebSocket connection requests on arbitrary TCP ports, and provides "Cannot connect to" error messages to inform the attacker about closed ports. | ||||
| CVE-2020-24327 | 1 Discourse | 1 Discourse | 2024-08-04 | 5.3 Medium |
| Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. When writing an email in an editor, you can upload pictures of remote websites. | ||||