Total
1111 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9298 | 1 Spinnaker | 1 Orca | 2020-08-31 | 5.0 MEDIUM | 7.5 HIGH |
| The Spinnaker template resolution functionality is vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to send requests on behalf of Spinnaker potentially leading to sensitive data disclosure. | |||||
| CVE-2020-5775 | 1 Instructure | 1 Canvas Learning Management Service | 2020-08-26 | 5.0 MEDIUM | 5.8 MEDIUM |
| Server-Side Request Forgery in Canvas LMS 2020-07-29 allows a remote, unauthenticated attacker to cause the Canvas application to perform HTTP GET requests to arbitrary domains. | |||||
| CVE-2020-17386 | 1 Cellopoint | 1 Cellos | 2020-08-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system. | |||||
| CVE-2019-15731 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. | |||||
| CVE-2020-8226 | 1 Phpbb | 1 Phpbb | 2020-08-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. | |||||
| CVE-2020-13286 | 1 Gitlab | 1 Gitlab | 2020-08-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery. | |||||
| CVE-2020-14296 | 1 Redhat | 1 Cloudforms Management Engine | 2020-08-12 | 5.5 MEDIUM | 7.1 HIGH |
| Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal network which are not normally accessible. | |||||
| CVE-2020-13295 | 1 Gitlab | 1 Runner | 2020-08-12 | 6.5 MEDIUM | 8.8 HIGH |
| For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF. | |||||
| CVE-2020-15823 | 1 Jetbrains | 1 Youtrack | 2020-08-10 | 5.0 MEDIUM | 7.5 HIGH |
| JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component. | |||||
| CVE-2020-15819 | 1 Jetbrains | 1 Youtrack | 2020-08-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports. | |||||
| CVE-2019-18394 | 1 Igniterealtime | 1 Openfire | 2020-08-07 | 7.5 HIGH | 9.8 CRITICAL |
| A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. | |||||
| CVE-2020-13970 | 1 Shopware | 1 Shopware | 2020-07-31 | 6.5 MEDIUM | 8.8 HIGH |
| Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server. | |||||
| CVE-2020-15879 | 1 Bitwarden | 1 Server | 2020-07-24 | 5.0 MEDIUM | 7.5 HIGH |
| Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16). | |||||
| CVE-2020-8205 | 1 Transloadit | 1 Uppy | 2020-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| The uppy npm package < 1.13.2 and < 2.0.0-alpha.5 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems. | |||||
| CVE-2020-13788 | 1 Linuxfoundation | 1 Harbor | 2020-07-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet. | |||||
| CVE-2020-6282 | 1 Sap | 1 Netweaver Application Server Java | 2020-07-15 | 5.0 MEDIUM | 5.8 MEDIUM |
| SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. | |||||
| CVE-2020-14170 | 1 Atlassian | 1 Bitbucket | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2019-20408 | 1 Atlassian | 1 Jira | 2020-07-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. | |||||
| CVE-2020-14056 | 1 Monstaftp | 1 Monsta Ftp | 2020-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files and interact with arbitrary third-party services. | |||||
| CVE-2020-13484 | 1 Bitrix24 | 1 Bitrix24 | 2020-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter, if the destination URL hosts an HTML document containing '<meta name="og:image" content="' followed by an intranet URL. | |||||