Total
1279 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-38624 | 1 Trendmicro | 1 Apex Central | 2024-08-02 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627. | ||||
| CVE-2023-38627 | 1 Trendmicro | 1 Apex Central | 2024-08-02 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38626. | ||||
| CVE-2023-37262 | 1 Tweaked | 1 Cc-tweaked | 2024-08-02 | 9.6 Critical |
| CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue. | ||||
| CVE-2024-1965 | 1 Haivision | 2 Aviwest Manager, Aviwest Streamhub | 2024-08-02 | 6.5 Medium |
| Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users. | ||||
| CVE-2023-36679 | 2024-08-02 | 7.1 High | ||
| Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6. | ||||
| CVE-2023-36661 | 2 Debian, Shibboleth | 2 Debian Linux, Xmltooling | 2024-08-02 | 7.5 High |
| Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.) | ||||
| CVE-2023-35175 | 1 Hp | 76 Laserjet Pro M304-m305 W1a46a, Laserjet Pro M304-m305 W1a46a Firmware, Laserjet Pro M304-m305 W1a47a and 73 more | 2024-08-02 | 9.8 Critical |
| Certain HP LaserJet Pro print products are potentially vulnerable to Potential Remote Code Execution and/or Elevation of Privilege via Server-Side Request Forgery (SSRF) using the Web Service Eventing model. | ||||
| CVE-2023-35133 | 1 Moodle | 1 Moodle | 2024-08-02 | 7.5 High |
| An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. | ||||
| CVE-2023-34959 | 1 Chamilo | 1 Chamilo Lms | 2024-08-02 | 5.3 Medium |
| An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools. | ||||
| CVE-2023-34370 | 2024-08-02 | 7.1 High | ||
| Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates, Brainstorm Force Premium Starter Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4; Premium Starter Templates: from n/a through 3.2.4. | ||||
| CVE-2023-34013 | 1 Ays-pro | 1 Poll Maker | 2024-08-02 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a through 4.6.2. | ||||
| CVE-2023-33184 | 1 Nextcloud | 1 Nextcloud Mail | 2024-08-02 | 3.5 Low |
| Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3. | ||||
| CVE-2023-32750 | 1 Pydio | 1 Cells | 2024-08-02 | 6.5 Medium |
| Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells. | ||||
| CVE-2023-32683 | 1 Matrix | 1 Synapse | 2024-08-02 | 3.5 Low |
| Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews. | ||||
| CVE-2023-32348 | 1 Teltonika | 1 Remote Management System | 2024-08-02 | 5.8 Medium |
| Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN. | ||||
| CVE-2023-32052 | 1 Microsoft | 2 Power-apps, Power Apps | 2024-08-02 | 5.4 Medium |
| Microsoft Power Apps (online) Spoofing Vulnerability | ||||
| CVE-2023-31848 | 1 Davinci Project | 1 Davinci | 2024-08-02 | 8.8 High |
| davinci 0.3.0-rc is vulnerable to Server-side request forgery (SSRF). | ||||
| CVE-2023-30444 | 1 Ibm | 1 Watson Machine Learning On Cloud Pak For Data | 2024-08-02 | 7.1 High |
| IBM Watson Machine Learning on Cloud Pak for Data 4.0 and 4.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 253350. | ||||
| CVE-2023-30019 | 1 Evilmartians | 1 Imgproxy | 2024-08-02 | 5.3 Medium |
| imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter. | ||||
| CVE-2023-29292 | 1 Adobe | 2 Commerce, Magento | 2024-08-02 | 4.9 Medium |
| Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. | ||||