Total
1276 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-30125 | 2024-11-12 | 6.2 Medium | ||
| HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die. | ||||
| CVE-2021-1272 | 1 Cisco | 1 Data Center Network Manager | 2024-11-12 | 8.8 High |
| A vulnerability in the session validation feature of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. This vulnerability is due to insufficient validation of parameters in a specific HTTP request by an attacker. An attacker could exploit this vulnerability by sending a crafted HTTP request to an authenticated user of the DCNM web application. A successful exploit could allow the attacker to bypass access controls and gain unauthorized access to the Device Manager application, which provides access to network devices managed by the system. | ||||
| CVE-2023-44313 | 1 Apache | 1 Servicecomb | 2024-11-12 | 7.6 High |
| Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.This issue affects Apache ServiceComb before 2.1.0(include). Users are recommended to upgrade to version 2.2.0, which fixes the issue. | ||||
| CVE-2024-47830 | 1 Plane | 1 Plane | 2024-11-12 | 9.3 Critical |
| Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is fixed in 0.23.0. | ||||
| CVE-2024-29007 | 1 Apache | 1 Cloudstack | 2024-11-12 | 7.3 High |
| The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue. | ||||
| CVE-2024-49521 | 2024-11-12 | 7.7 High | ||
| Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. A low privileged attacker could exploit this vulnerability to send crafted requests from the vulnerable server to internal systems, which could result in the bypassing of security measures such as firewalls. Exploitation of this issue does not require user interaction. | ||||
| CVE-2023-36925 | 1 Sap | 1 Solution Manager | 2024-11-12 | 7.2 High |
| SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach. | ||||
| CVE-2023-33176 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-12 | 4.8 Medium |
| BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton. | ||||
| CVE-2024-10814 | 2024-11-12 | 6.4 Medium | ||
| The Code Embed plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5 via the ce_get_file() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-51785 | 2024-11-12 | 4.4 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in I Thirteen Web Solution Responsive Filterable Portfolio allows Server Side Request Forgery.This issue affects Responsive Filterable Portfolio: from n/a through 1.0.22. | ||||
| CVE-2024-51740 | 1 Combodo | 1 Itop | 2024-11-08 | 4.3 Medium |
| Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-47190 | 2024-11-08 | 2.7 Low | ||
| Northern.tech Hosted Mender before 2024.07.11 allows SSRF. | ||||
| CVE-2024-46947 | 1 Northern.tech | 1 Mender | 2024-11-08 | 6.5 Medium |
| Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF. | ||||
| CVE-2024-48951 | 1 Logpoint | 1 Logpoint | 2024-11-08 | 7.5 High |
| An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery (SSRF) on SOAR can be used to leak Logpoint's API Token leading to authentication bypass. | ||||
| CVE-2024-24028 | 2024-11-07 | 5.9 Medium | ||
| Server Side Request Forgery (SSRF) vulnerability in Likeshop before 2.5.7 allows attackers to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo. | ||||
| CVE-2024-51358 | 1 Linuxserver | 1 Heimdall Application Dashboard | 2024-11-07 | 9.8 Critical |
| An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. | ||||
| CVE-2024-0628 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-07 | 3.8 Low |
| The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2023-31456 | 2024-11-07 | 5.4 Medium | ||
| There is an SSRF vulnerability in the Fluid Topics platform that affects versions prior to 4.3, where the server can be forced to make arbitrary requests to internal and external resources by an authenticated user. | ||||
| CVE-2024-33250 | 1 Ossrs | 1 Simple Realtime Server | 2024-11-07 | 7.2 High |
| An issue in Open-Source Technology Committee SRS real-time video server RS/4.0.268(Leo) and SRS/4.0.195(Leo) allows a remote attacker to execute arbitrary code via a crafted request. | ||||
| CVE-2024-51665 | 1 Wpthemespace | 1 Magical Addons For Elementor | 2024-11-06 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Noor alam Magical Addons For Elementor allows Server Side Request Forgery.This issue affects Magical Addons For Elementor: from n/a through 1.2.1. | ||||