CWE-918
2,678 CVEs • Abstraction: Base
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVEs (2,678)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
1Qantumthemes 2Kentharadio Onair2Nov 21, 2024 Aug 2, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server...Show more |
The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a...Show more |
1Groupsession 3Groupsession Groupsession BycloudGroupsession ZionNov 21, 2024 Jul 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Server-side request forgery (SSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSe...Show more |
1Ibm 9Engineering Lifecycle Optimization Engineering Insights Engineering Requirements Quality Assistant On PremisesEngineering Test Management+6 moreNov 21, 2024 Jul 28, 2021 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or fac...Show more |
1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Jul 22, 2021 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used. |
1Schneider Electric 6Evlink City Evc1s22p4 Firmware Evlink City Evc1s7p4 FirmwareEvlink Parking Ev.2 Firmware+3 moreNov 21, 2024 Jul 21, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlin...Show more |
Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default). An attacker with access to the Investigate installation can specify an...Show more |
1Ibm 2Secure External Authentication Server Sterling Secure ProxyNov 21, 2024 Jul 15, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 IBM Secure External Authentication Server 6.0.2 and IBM Secure Proxy 6.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, pote...Show more |
1Microsoft 1Exchange Server Oct 29, 2025 Jul 14, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Microsoft Exchange Server Remote Code Execution Vulnerability |
An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal addres...Show more |
SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet. |
A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leadi...Show more |
A server side request forgery (SSRF) vulnerability in /ApiAdminDomainSettings.php of MipCMS 5.0.1 allows attackers to access sensitive information. |
1Secondline 1Podcast Importer Secondline Nov 21, 2024 Jul 7, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Server-side request forgery (SSRF) in the Podcast Importer SecondLine (podcast-importer-secondline) plugin 1.1.4 for WordPress via the podcast_feed parameter in a secondline_import_initialize action to the secondlinepodc...Show more |
1Mooveagency 1Import Xml And Rss Feeds Nov 21, 2024 Jul 7, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. |
1Xylusthemes 1Wp Smart Import Nov 21, 2024 Jul 7, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Server-side request forgery (SSR) vulnerability in the WP Smart Import (wp-smart-import) plugin 1.0.0 for WordPress via the file field. |
1Ninjateam 1Video Downloader For Tiktok Nov 21, 2024 Jul 7, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Server-side request forgery in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the njt-...Show more |
1Wp Downloadmanager Project 1Wp Downloadmanager Nov 21, 2024 Jul 7, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-...Show more |
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host h...Show more |
Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoin...Show more |