Total
1861 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34011 | 1 Zhyd | 1 Oneblog | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls. | |||||
| CVE-2022-32995 | 1 Halo | 1 Halo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. | |||||
| CVE-2022-32457 | 1 Digiwin | 1 Business Process Management | 2024-11-21 | N/A | 5.3 MEDIUM |
| Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response. | |||||
| CVE-2022-31830 | 1 Baidu | 1 Kity Minder | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php. | |||||
| CVE-2022-31827 | 1 Monstaftp | 1 Monstaftp | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the function performFetchRequest at HTTPFetcher.php. | |||||
| CVE-2022-31776 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | N/A | 8.8 HIGH |
| IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433. | |||||
| CVE-2022-31393 | 1 Jizhicms | 1 Jizhicms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. | |||||
| CVE-2022-31390 | 1 Jizhicms | 1 Jizhicms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. | |||||
| CVE-2022-31386 | 1 Nbnbk Project | 1 Nbnbk | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter. | |||||
| CVE-2022-31196 | 1 Databasir | 1 Databasir | 2024-11-21 | N/A | 7.6 HIGH |
| Databasir is a database metadata management platform. Databasir <= 1.06 has Server-Side Request Forgery (SSRF) vulnerability. The SSRF is triggered by a sending a **single** HTTP POST request to create a databaseType. By supplying a `jdbcDriverFileUrl` that returns a non `200` response code, the url is executed, the response is logged (both in terminal and in database) and is included in the response. This would allow an attackers to obtain the real IP address and scan Intranet information. This issue was fixed in version 1.0.7. | |||||
| CVE-2022-31188 | 1 Cvat | 1 Cvat | 2024-11-21 | N/A | 8.6 HIGH |
| CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31132 | 1 Nextcloud | 1 Mail | 2024-11-21 | N/A | 8.3 HIGH |
| Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php` | |||||
| CVE-2022-30049 | 1 Ruifang-tech | 1 Rebuild | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. | |||||
| CVE-2022-2900 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | N/A | 9.1 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0. | |||||
| CVE-2022-2756 | 1 Kavitareader | 1 Kavita | 2024-11-21 | N/A | 6.5 MEDIUM |
| Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. | |||||
| CVE-2022-2556 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-11-21 | N/A | 2.7 LOW |
| The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | |||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2024-11-21 | N/A | 5.5 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | |||||
| CVE-2022-2267 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has an AJAX action that allows any logged in users (such as subscriber) to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | |||||
| CVE-2022-2216 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0. | |||||
| CVE-2022-29942 | 1 Talend | 1 Administration Center | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | |||||