Total
1278 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38109 | 1 Microsoft | 1 Azure Health Bot | 2024-10-16 | 9.1 Critical |
| An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network. | ||||
| CVE-2024-38206 | 1 Microsoft | 1 Copilot Studio | 2024-10-16 | 8.5 High |
| An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network. | ||||
| CVE-2024-46468 | 1 Jpress | 1 Jpress | 2024-10-15 | 7.5 High |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the jpress <= v5.1.1, which can be exploited by an attacker to obtain sensitive information, resulting in an information disclosure. | ||||
| CVE-2023-48910 | 1 Microcks | 1 Microcks | 2024-10-15 | 9.8 Critical |
| Microcks up to 1.17.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /jobs and /artifact/download. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request. | ||||
| CVE-2023-3981 | 1 Omeka | 2 Omeka, Omeka S | 2024-10-15 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) in GitHub repository omeka/omeka-s prior to 4.0.2. | ||||
| CVE-2024-45317 | 1 Sonicwall | 1 Sma1000 Firmware | 2024-10-15 | N/A |
| A Server-Side Request Forgery (SSRF) vulnerability in SMA1000 appliance firmware versions 12.4.3-02676 and earlier allows a remote, unauthenticated attacker to cause the SMA1000 server-side application to make requests to an unintended IP address. | ||||
| CVE-2023-48023 | 1 Anyscale | 1 Ray | 2024-10-11 | 9.1 Critical |
| Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment | ||||
| CVE-2023-6070 | 1 Trellix | 1 Enterprise Security Manager | 2024-10-11 | 4.3 Medium |
| A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration. This is possible through the certificate validation functionality where the API accepts uploaded content and doesn't parse for invalid data | ||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2024-10-11 | 5.5 Medium |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | ||||
| CVE-2024-45119 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2024-10-10 | 5.5 Medium |
| Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs and have a low impact on both confidentiality and integrity. Exploitation of this issue does not require user interaction and scope is changed. | ||||
| CVE-2024-41651 | 1 Prestashop | 1 Prestashop | 2024-10-09 | 9.8 Critical |
| An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). | ||||
| CVE-2024-5482 | 1 Lollms | 1 Lollms Web Ui | 2024-10-09 | 9.8 Critical |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to input arbitrary URLs, including those that target internal resources such as 'localhost' or '127.0.0.1'. This flaw enables attackers to make unauthorized requests to internal or external systems, potentially leading to access to sensitive data, service disruption, network integrity compromise, business logic manipulation, and abuse of third-party resources. The issue is critical and requires immediate attention to maintain the application's security and integrity. | ||||
| CVE-2024-4325 | 1 Gradio Project | 1 Gradio | 2024-10-09 | 8.6 High |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers. | ||||
| CVE-2023-42282 | 2 Fedorindutny, Redhat | 5 Ip, Migration Toolkit Virtualization, Network Observ Optr and 2 more | 2024-10-09 | 9.8 Critical |
| The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. | ||||
| CVE-2023-6294 | 1 Sygnoos | 1 Popup Builder | 2024-10-09 | 7.2 High |
| The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. | ||||
| CVE-2024-38183 | 1 Microsoft | 1 Groupme | 2024-10-09 | 8.8 High |
| An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. | ||||
| CVE-2024-32987 | 1 Microsoft | 1 Sharepoint Server | 2024-10-08 | 7.5 High |
| Microsoft SharePoint Server Information Disclosure Vulnerability | ||||
| CVE-2024-9410 | 1 Ada | 1 Ada.cx Sentry | 2024-10-07 | 5.3 Medium |
| Ada.cx's Sentry configuration allowed for blind server-side request forgeries (SSRF) through the use of a data scraping endpoint. | ||||
| CVE-2017-3546 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2024-10-04 | N/A |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | ||||
| CVE-2024-37818 | 1 Strapi | 1 Strapi | 2024-10-04 | 8.6 High |
| Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community argues that this issue is not valid. They contend that "the strapi/admin was wrongly attributed a flaw that only pertains to the strapi.io website, and which, at the end of the day, does not pose any real SSRF risk to applications that make use of the Strapi library." | ||||