ReportizFlow
Filtered by vendor
Subscriptions
Total
1746 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34051 | 2025-07-03 | N/A | ||
| A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services. | ||||
| CVE-2023-37229 | 1 Loftware | 1 Spectrum | 2025-07-03 | 8.8 High |
| Loftware Spectrum before 5.1 allows SSRF. | ||||
| CVE-2025-23082 | 1 Veeam | 1 Veeam Backup For Microsoft Azure | 2025-07-03 | N/A |
| Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | ||||
| CVE-2024-35451 | 1 Linkstack | 1 Linkstack | 2025-07-03 | 4.8 Medium |
| LinkStack 2.7.9 through 4.7.7 allows resources\views\components\favicon.blade.php link SSRF. | ||||
| CVE-2024-45206 | 1 Veeam | 2 Service Provider Console, Veeam Service Provider Console | 2025-07-02 | N/A |
| A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources. | ||||
| CVE-2025-37090 | 1 Hpe | 1 Storeonce System | 2025-07-02 | 9.8 Critical |
| A server-side request forgery vulnerability exists in HPE StoreOnce Software. | ||||
| CVE-2025-0539 | 2 Microsoft, Octopus | 2 Windows, Octopus Server | 2025-07-02 | 8.8 High |
| In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself. | ||||
| CVE-2025-49852 | 1 Assaabloy | 1 Control Id Idsecure | 2025-07-02 | 7.5 High |
| ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers. | ||||
| CVE-2024-48360 | 1 Qualitor | 1 Qualitor | 2025-07-01 | 7.5 High |
| Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php. | ||||
| CVE-2024-38472 | 4 Apache, Apache Software Foundation, Netapp and 1 more | 4 Http Server, Apache Http Server, Ontap and 1 more | 2025-07-01 | 7.5 High |
| SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing. | ||||
| CVE-2024-4399 | 1 Apereo | 1 Central Authentication Service | 2025-06-30 | 9.1 Critical |
| The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack | ||||
| CVE-2024-23336 | 1 Mybb | 1 Mybb | 2025-06-30 | 5 Medium |
| MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list. | ||||
| CVE-2024-30256 | 1 Openwebui | 1 Open Webui | 2025-06-30 | 6.4 Medium |
| Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117. | ||||
| CVE-2024-27347 | 1 Apache | 1 Hugegraph-hubble | 2025-06-30 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Apache HugeGraph-Hubble.This issue affects Apache HugeGraph-Hubble: from 1.0.0 before 1.3.0. Users are recommended to upgrade to version 1.3.0, which fixes the issue. | ||||
| CVE-2024-29190 | 2 Mobsf, Opensecurity | 2 Mobile Security Framework, Mobile Security Framework | 2025-06-30 | 7.5 High |
| Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue. | ||||
| CVE-2024-31215 | 1 Opensecurity | 1 Mobile Security Framework | 2025-06-30 | 6.3 Medium |
| Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8. | ||||
| CVE-2025-29459 | 1 Mybb | 1 Mybb | 2025-06-27 | 7.6 High |
| An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | ||||
| CVE-2025-45250 | 1 Mrdoc | 1 Mrdoc | 2025-06-27 | 5.5 Medium |
| MrDoc v0.95 and before is vulnerable to Server-Side Request Forgery (SSRF) in the validate_url function of the app_doc/utils.py file. | ||||
| CVE-2024-54000 | 2 Mobsf, Opensecurity | 2 Mobile Security Framework, Mobile Security Framework | 2025-06-27 | 7.5 High |
| Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is specified as allow_redirects=True, which allows a server-side request forgery when a request to .well-known/assetlinks.json" returns a 302 redirect. This is a bypass of the fix for CVE-2024-29190 and is fixed in 3.9.7. | ||||
| CVE-2024-28752 | 3 Apache, Netapp, Redhat | 9 Cxf, Oncommand Workflow Automation, Ontap Tools and 6 more | 2025-06-27 | 9.3 Critical |
| A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. | ||||