Total
1343 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39867 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 5.5 MEDIUM | 8.1 HIGH |
| In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. | |||||
| CVE-2021-39894 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. | |||||
| CVE-2021-37223 | 1 Nagios | 1 Nagios Xi | 2021-10-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files. | |||||
| CVE-2021-37104 | 1 Huawei | 2 P40, P40 Firmware | 2021-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do. | |||||
| CVE-2021-41385 | 1 Securonix | 1 Snypr | 2021-10-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| The third party intelligence connector in Securonix SNYPR 6.3.1 Build 184295_0302 allows an authenticated user to obtain access to server configuration details via SSRF. | |||||
| CVE-2020-24141 | 1 Wp-downloadmanager Project | 1 Wp-downloadmanager | 2021-10-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network hosts and execute command on services | |||||
| CVE-2021-39339 | 1 Telefication | 1 Telefication | 2021-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0. | |||||
| CVE-2021-41587 | 1 Gradle | 1 Gradle | 2021-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. | |||||
| CVE-2021-41586 | 1 Gradle | 1 Gradle | 2021-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. | |||||
| CVE-2021-40109 | 1 Concretecms | 1 Concrete Cms | 2021-09-30 | 5.5 MEDIUM | 6.4 MEDIUM |
| A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded. | |||||
| CVE-2020-24327 | 1 Discourse | 1 Discourse | 2021-09-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function. When writing an email in an editor, you can upload pictures of remote websites. | |||||
| CVE-2020-21122 | 1 Ureport Project | 1 Ureport | 2021-09-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports. | |||||
| CVE-2021-33690 | 1 Sap | 1 Netweaver Development Infrastructure | 2021-09-28 | 6.5 MEDIUM | 9.9 CRITICAL |
| Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet. | |||||
| CVE-2021-21993 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2021-09-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. An authorised user with access to content library may exploit this issue by sending a POST request to vCenter Server leading to information disclosure. | |||||
| CVE-2021-23029 | 1 F5 | 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager | 2021-09-27 | 6.5 MEDIUM | 8.8 HIGH |
| On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-28910 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2021-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 contains basic SSRF vulnerability. It allow unauthenticated attackers to request to any internal and external server. | |||||
| CVE-2021-35209 | 1 Zimbra | 1 Collaboration | 2021-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting). | |||||
| CVE-2021-40537 | 1 Owncloud | 1 User Ldap | 2021-09-15 | 4.0 MEDIUM | 2.7 LOW |
| Server Side Request Forgery (SSRF) vulnerability exists in owncloud/user_ldap < 0.15.4 in the settings of the user_ldap app. Administration role is necessary for exploitation. | |||||
| CVE-2021-39497 | 1 Eyoucms | 1 Eyoucms | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function. | |||||
| CVE-2021-39195 | 1 Misskey | 1 Misskey | 2021-09-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running. | |||||