Total
1111 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31386 | 1 Nbnbk Project | 1 Nbnbk | 2022-06-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter. | |||||
| CVE-2022-31390 | 1 Jizhicms | 1 Jizhicms | 2022-06-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. | |||||
| CVE-2022-31830 | 1 Baidu | 1 Kity Minder | 2022-06-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php. | |||||
| CVE-2022-31827 | 1 Monstaftp | 1 Monstaftp | 2022-06-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the function performFetchRequest at HTTPFetcher.php. | |||||
| CVE-2022-31393 | 1 Jizhicms | 1 Jizhicms | 2022-06-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. | |||||
| CVE-2018-1000067 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response. | |||||
| CVE-2021-40186 | 1 Dnnsoftware | 1 Dotnetnuke | 2022-06-09 | 5.0 MEDIUM | 7.5 HIGH |
| The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In the most common scenario, the attacker exploits SSRF vulnerabilities to attack systems behind the firewall and access sensitive information from Cloud Provider metadata services. | |||||
| CVE-2022-1285 | 1 Gogs | 1 Gogs | 2022-06-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8. | |||||
| CVE-2022-29188 | 1 Stripe | 1 Smokescreen | 2022-06-07 | 6.4 MEDIUM | 6.5 MEDIUM |
| Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). This only impacted the HTTP proxy functionality of Smokescreen. HTTPS requests were not impacted. Smokescreen version 0.0.4 contains a patch for this issue. | |||||
| CVE-2022-1815 | 1 Diagrams | 1 Drawio | 2022-06-07 | 5.0 MEDIUM | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. | |||||
| CVE-2022-1784 | 1 Diagrams | 1 Drawio | 2022-06-07 | 5.0 MEDIUM | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. | |||||
| CVE-2022-1711 | 1 Diagrams | 1 Drawio | 2022-06-07 | 5.0 MEDIUM | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. | |||||
| CVE-2022-1723 | 1 Diagrams | 1 Drawio | 2022-06-07 | 5.0 MEDIUM | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. | |||||
| CVE-2022-28997 | 1 Cszcms | 1 Cszcms | 2022-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/. | |||||
| CVE-2022-29309 | 1 Mysiteforme Project | 1 Mysiteforme | 2022-06-02 | 5.0 MEDIUM | 7.5 HIGH |
| mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery. | |||||
| CVE-2022-24856 | 1 Flyte | 1 Flyte Console | 2022-05-26 | 5.0 MEDIUM | 7.5 HIGH |
| FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery (SSRF) when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. The patch for this issue deletes the entire `cors_proxy`, as this is not required for console anymore. A patch is available in FlyteConsole version 0.52.0. Disable FlyteConsole availability on the internet as a workaround. | |||||
| CVE-2022-28616 | 1 Hp | 1 Oneview | 2022-05-26 | 7.5 HIGH | 9.8 CRITICAL |
| A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView. | |||||
| CVE-2022-23668 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-05-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| A remote authenticated server-side request forgery (ssrf) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manage that address this security vulnerability. | |||||
| CVE-2020-3938 | 1 Sysjust | 1 Syuan-gu-da-shin | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulnerability of Request Forgery, allowing attackers to launch inquiries into network architecture or system files of the server via forged inquests. | |||||
| CVE-2022-1398 | 1 External Media Without Import Project | 1 External Media Without Import | 2022-05-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks | |||||