ReportizFlow
Filtered by vendor
Subscriptions
Total
1336 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26366 | 1 Adobe | 2 Commerce, Magento | 2024-11-21 | 6.8 Medium |
| Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary. | ||||
| CVE-2023-25753 | 1 Apache | 1 Shenyu | 2024-11-21 | 6.5 Medium |
| There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.5.1. Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 . | ||||
| CVE-2023-25609 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | 4.2 Medium |
| A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to access unauthorized files and services on the system via specially crafted web requests. | ||||
| CVE-2023-25557 | 1 Datahub Project | 1 Datahub | 2024-11-21 | 7.5 High |
| DataHub is an open-source metadata platform. The DataHub frontend acts as a proxy able to forward any REST or GraphQL requests to the backend. The goal of this proxy is to perform authentication if needed and forward HTTP requests to the DataHub Metadata Store (GMS). It has been discovered that the proxy does not adequately construct the URL when forwarding data to GMS, allowing external users to reroute requests from the DataHub Frontend to any arbitrary hosts. As a result attackers may be able to reroute a request from originating from the frontend proxy to any other server and return the result. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076. | ||||
| CVE-2023-25504 | 1 Apache | 1 Superset | 2024-11-21 | 4.9 Medium |
| A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1. | ||||
| CVE-2023-25262 | 1 Stimulsoft | 1 Designer | 2024-11-21 | 7.5 High |
| Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe Reporting Designer (Web) offers the possibility to embed sources from external locations. If the user chooses an external location, the request to that resource is performed by the server rather than the client. Therefore, the server causes outbound traffic and potentially imports data. An attacker may also leverage this behaviour to exfiltrate data of machines on the internal network of the server hosting the Stimulsoft Reporting Designer (Web). | ||||
| CVE-2023-25230 | 1 Loonflow Project | 1 Loonflow | 2024-11-21 | 4.9 Medium |
| A Server-Side Request Forgery (SSRF) in loonflow r2.0.14 allows attackers to force the application to make arbitrary requests via manipulation of the hook_url parameter. | ||||
| CVE-2023-25195 | 1 Apache | 1 Fineract | 2024-11-21 | 8.1 High |
| Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic. This issue affects Apache Fineract: from 1.4 through 1.8.3. | ||||
| CVE-2023-25162 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 5.3 Medium |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2023-24623 | 1 Paranoidhttp Project | 1 Paranoidhttp | 2024-11-21 | 7.5 High |
| Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses. | ||||
| CVE-2023-24622 | 1 Includesecurity | 1 Safeurl-python | 2024-11-21 | 5.3 Medium |
| isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF. | ||||
| CVE-2023-24515 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | 5.2 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in API checker of Pandora FMS. Application does not have a check on the URL scheme used while retrieving API URL. Rather than validating the http/https scheme, the application allows other scheme such as file, which could allow a malicious user to fetch internal file content. This issue affects Pandora FMS v767 version and prior versions on all platforms. | ||||
| CVE-2023-24495 | 1 Tenable | 1 Tenable.sc | 2024-11-21 | 6.5 Medium |
| A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and internal services covertly. | ||||
| CVE-2023-24060 | 1 Havenweb | 1 Haven | 2024-11-21 | 5.0 Medium |
| Haven 5d15944 allows Server-Side Request Forgery (SSRF) via the feed[url]= Feeds functionality. Authenticated users with the ability to create new RSS Feeds or add RSS Feeds can supply an arbitrary hostname (or even the hostname of the Haven server itself). NOTE: this product has significant usage but does not have numbered releases; ordinary end users may typically use the master branch. | ||||
| CVE-2023-23943 | 1 Nextcloud | 1 Mail | 2024-11-21 | 5 Medium |
| Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app. | ||||
| CVE-2023-23800 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | 7.1 High |
| Server-Side Request Forgery (SSRF) vulnerability in Vova Anokhin WP Shortcodes Plugin — Shortcodes Ultimate.This issue affects WP Shortcodes Plugin — Shortcodes Ultimate: from n/a through 5.12.6. | ||||
| CVE-2023-23684 | 1 Wpengine | 1 Wpgraphql | 2024-11-21 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5. | ||||
| CVE-2023-23560 | 1 Lexmark | 256 B2236, B2236 Firmware, B2338 and 253 more | 2024-11-21 | 9.8 Critical |
| In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation. | ||||
| CVE-2023-23169 | 1 Synapsoft | 1 Pdfocus | 2024-11-21 | 6.5 Medium |
| Synapsoft pdfocus 1.17 is vulnerable to local file inclusion and server-side request forgery Directory Traversal. | ||||
| CVE-2023-22817 | 1 Westerndigital | 26 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 23 more | 2024-11-21 | 5.5 Medium |
| Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. | ||||