Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVEs (2,641)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-16793 1Microsoft 1Exchange Server Nov 21, 2024 Sep 21, 2018 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon.aspx in the OWA (Outlook Web Access) login page.
CVE-2018-16794 1Microsoft 1Active Directory Federation Services Nov 21, 2024 Sep 18, 2018 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.
CVE-2018-2463 1Sap 1Hybris Nov 21, 2024 Sep 11, 2018 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6., is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side imple...Show more The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6., is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC.Show less
CVE-2018-1789 1Ibm 1Api Connect Nov 21, 2024 Sep 7, 2018 N/A· v4 9.9 CRITICAL· v3 6.5 MEDIUM· v2 IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939.
CVE-2018-16444 1Seacms 1Seacms Nov 21, 2024 Sep 4, 2018 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter.
CVE-2018-16409 1Gogs 1Gogs Nov 21, 2024 Sep 3, 2018 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.
CVE-2018-15895 1Icmsdev 1Icms Nov 21, 2024 Aug 27, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstra...Show more An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because the remote function in app/spider/spider_tools.class.php does not block DNS hostnames associated with private and reserved IP addresses, as demonstrated by 127.0.0.1 in an A record. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14858.Show less
CVE-2018-10511 1Trendmicro 1Control Manager Nov 21, 2024 Aug 15, 2018 N/A· v4 10.0 CRITICAL· v3 6.4 MEDIUM· v2 A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations.
CVE-2018-2445 1Sap 1Businessobjects Business Intelligence Nov 21, 2024 Aug 14, 2018 N/A· v4 9.6 CRITICAL· v3 5.5 MEDIUM· v2 AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Re...Show more AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability.Show less
CVE-2018-3774 1Url Parse Project 1Url Parse Nov 21, 2024 Aug 12, 2018 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
CVE-2018-15192 2Gitea Gogs 2Gitea Gogs Nov 21, 2024 Aug 8, 2018 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
CVE-2018-14728 1Tecrail 1Responsive Filemanager Nov 21, 2024 Aug 3, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.
CVE-2018-14858 1Icmsdev 1Icms Nov 21, 2024 Aug 2, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vuln...Show more An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514.Show less
CVE-2018-1999039 1Jenkins 1Confluence Publisher Nov 21, 2024 Aug 1, 2018 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Conf...Show more A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.Show less
CVE-2018-1999026 1Jenkins 1Tracetronic Ecu Test Nov 21, 2024 Aug 1, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host.
CVE-2018-1999017 1Pydio 1Pydio Nov 21, 2024 Jul 23, 2018 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users req...Show more Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. This attack appears to be exploitable via the attacker gaining access to an administrative account, enters a URL into Upgrade Engine, and reloads the page or presses "Check Now". This vulnerability appears to have been fixed in 8.2.1.Show less
CVE-2018-14514 1Icmsdev 1Icms Nov 21, 2024 Jul 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact.
CVE-2018-5006 1Adobe 1Experience Manager Nov 21, 2024 Jul 20, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.4 and earlier have a Server-Side Request Forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-5004 1Adobe 1Experience Manager Nov 21, 2024 Jul 20, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.2 and 6.3 have a Server-Side Request Forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2018-12809 1Adobe 1Experience Manager Nov 21, 2024 Jul 20, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.4 and earlier have a Server-Side Request Forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.

Previous 1...126127128...133 Next