Total
1343 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | |||||
| CVE-2020-24570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link. | |||||
| CVE-2020-8830 | 1 Commscope | 2 Ruckus Zoneflex R500, Ruckus Zoneflex R500 Firmware | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen. | |||||
| CVE-2021-33213 | 1 Element-it | 1 Http Commander | 2021-07-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address. | |||||
| CVE-2018-13790 | 1 Concretecms | 1 Concrete Cms | 2021-07-15 | 6.5 MEDIUM | 7.2 HIGH |
| A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page. | |||||
| CVE-2020-28360 | 1 Private-ip Project | 1 Private-ip | 2021-07-15 | 7.5 HIGH | 9.8 CRITICAL |
| Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques. | |||||
| CVE-2020-24147 | 1 Xylus | 1 Wp Smart Import | 2021-07-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Server-side request forgery (SSR) vulnerability in the WP Smart Import (wp-smart-import) plugin 1.0.0 for WordPress via the file field. | |||||
| CVE-2020-24149 | 1 Secondline | 1 Podcast Importer Secondline | 2021-07-13 | 5.0 MEDIUM | 7.5 HIGH |
| Server-side request forgery (SSRF) in the Podcast Importer SecondLine (podcast-importer-secondline) plugin 1.1.4 for WordPress via the podcast_feed parameter in a secondline_import_initialize action to the secondlinepodcastimport page. | |||||
| CVE-2020-23079 | 1 Halo | 1 Halo | 2021-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet. | |||||
| CVE-2020-20582 | 1 Mipcms | 1 Mipcms | 2021-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| A server side request forgery (SSRF) vulnerability in /ApiAdminDomainSettings.php of MipCMS 5.0.1 allows attackers to access sensitive information. | |||||
| CVE-2020-24142 | 1 Ninjateam | 1 Video Downloader For Tiktok | 2021-07-10 | 7.5 HIGH | 9.8 CRITICAL |
| Server-side request forgery in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the njt-tk-download-video parameter. It can help identify open ports, local network hosts and execute command on services | |||||
| CVE-2020-24148 | 1 Mooveagency | 1 Import Xml And Rss Feeds | 2021-07-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. | |||||
| CVE-2021-32639 | 1 Nsa | 1 Emissary | 2021-07-06 | 6.5 MEDIUM | 9.9 CRITICAL |
| Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources. | |||||
| CVE-2020-21788 | 1 Crmeb | 1 Crmeb | 2021-07-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php. | |||||
| CVE-2021-32698 | 1 Elabftw | 1 Elabftw | 2021-06-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. Issue has been patched in eLabFTW 4.0.0. | |||||
| CVE-2021-21311 | 2 Adminer, Debian | 2 Adminer, Debian Linux | 2021-06-24 | 6.4 MEDIUM | 7.2 HIGH |
| Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9. | |||||
| CVE-2021-34808 | 1 Synology | 1 Media Server | 2021-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors. | |||||
| CVE-2021-34811 | 1 Synology | 1 Download Station | 2021-06-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
| CVE-2021-22175 | 1 Gitlab | 1 Gitlab | 2021-06-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled | |||||
| CVE-2021-20483 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Security Identity Manager, Linux Kernel and 2 more | 2021-06-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197591. | |||||