Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVEs (2,642)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-8134 1Ghost 1Ghost Nov 21, 2024 Mar 20, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external network or otherwise interact with internal systems.
CVE-2020-10077 1Gitlab 1Gitlab Nov 21, 2024 Mar 13, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.
CVE-2020-8540 1Zohocorp 1Manageengine Desktop Central Nov 21, 2024 Mar 11, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) atta...Show more An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.Show less
CVE-2019-13121 1Gitlab 1Gitlab Nov 21, 2024 Mar 10, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0.2. The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. It h...Show more An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0.2. The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. It has Incorrect Access Control.Show less
CVE-2019-12443 1Gitlab 1Gitlab Nov 21, 2024 Mar 10, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS re...Show more An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.Show less
CVE-2020-10212 1Tecrail 1Responsive Filemanager Nov 21, 2024 Mar 7, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. F...Show more upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename is added to the PATH_INFO. Also, an attacker could create a DNS hostname that resolves to the 0.0.0.0 IP address for DNS pinning. NOTE: this issue exists because of an incomplete fix for CVE-2018-14728.Show less
CVE-2019-18846 1Open Xchange 1Open Xchange Appsuite Nov 21, 2024 Feb 21, 2020 N/A· v4 5.0 MEDIUM· v3 4.0 MEDIUM· v2 OX App Suite through 7.10.2 allows SSRF.
CVE-2020-7796 1Synacor 1Zimbra Collaboration Suite Feb 18, 2026 Feb 18, 2020 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
CVE-2019-20474 1Zohocorp 1Manageengine Remote Access Plus Nov 21, 2024 Feb 17, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to us...Show more An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.Show less
CVE-2020-8128 1Jsreport 1Jsreport Nov 21, 2024 Feb 14, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
CVE-2019-4741 1Ibm 1Content Navigator Nov 21, 2024 Feb 12, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 IBM Content Navigator 3.0CD is vulnerable to Server Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or fac...Show more IBM Content Navigator 3.0CD is vulnerable to Server Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 172815.Show less
CVE-2020-8118 3Nextcloud NovellOpensuse 3Backports Sle Nextcloud ServerSuse Linux Enterprise Server Nov 21, 2024 Feb 4, 2020 N/A· v4 5.0 MEDIUM· v3 4.0 MEDIUM· v2 An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.
CVE-2020-3938 1Sysjust 1Syuan Gu Da Shin Nov 21, 2024 Feb 4, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulnerability of Request Forgery, allowing attackers to launch inquiries into network architecture or system files of the server via forged inquests.
CVE-2013-4864 1Micasaverde 1Veralite Firmware Nov 21, 2024 Jan 28, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue.
CVE-2019-5464 1Gitlab 1Gitlab Nov 21, 2024 Jan 28, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
CVE-2007-6758 1Sencha 1Ext Js Nov 21, 2024 Jan 23, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0.
CVE-2019-19835 1Ruckuswireless 2Unleashed Zonedirector 1200 Firmware Nov 21, 2024 Jan 23, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.
CVE-2020-1925 1Apache 1Olingo Nov 21, 2024 Jan 9, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If...Show more Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.Show less
CVE-2019-19261 1Gitlab 1Gitlab Nov 21, 2024 Jan 3, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF.
CVE-2018-20499 1Gitlab 1Gitlab Nov 21, 2024 Dec 30, 2019 N/A· v4 7.2 HIGH· v3 6.4 MEDIUM· v2 An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.

Previous 1...120121122...133 Next