ReportizFlow
Filtered by vendor
Subscriptions
Total
1333 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-28627 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 5.4 Medium |
| Adobe Experience Manager Cloud Service offering, as well as versions 6.5.8.0 (and below) is affected by a Server-side Request Forgery. An authenticated attacker could leverage this vulnerability to contact systems blocked by the dispatcher. Exploitation of this issue does not require user interaction. | ||||
| CVE-2021-28060 | 1 Group-office | 1 Group Office | 2024-11-21 | 5.3 Medium |
| A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php. | ||||
| CVE-2021-27905 | 1 Apache | 1 Solr | 2024-11-21 | 9.8 Critical |
| The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. | ||||
| CVE-2021-27738 | 1 Apache | 1 Kylin | 2024-11-21 | 7.5 High |
| All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2. | ||||
| CVE-2021-27693 | 1 Publiccms | 1 Publiccms | 2024-11-21 | 9.8 Critical |
| Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage. | ||||
| CVE-2021-27670 | 1 Appspace | 1 Appspace | 2024-11-21 | 9.8 Critical |
| Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter. | ||||
| CVE-2021-27329 | 1 Frendi | 1 Frendica | 2024-11-21 | 10.0 Critical |
| Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. | ||||
| CVE-2021-27312 | 2024-11-21 | 9.4 Critical | ||
| Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php. | ||||
| CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 6.1 Medium |
| A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. | ||||
| CVE-2021-27103 | 1 Accellion | 1 Fta | 2024-11-21 | 9.8 Critical |
| Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later. | ||||
| CVE-2021-26855 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 9.1 Critical |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2021-26715 | 1 Mitreid | 1 Connect | 2024-11-21 | 9.1 Critical |
| The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP request from the vulnerable server to any address in the internal network and obtain its response (which might, for example, have a JavaScript payload for resultant XSS). The issue can be exploited to bypass network boundaries, obtain sensitive data, or attack other hosts in the internal network. | ||||
| CVE-2021-26699 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.4 Medium |
| OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used. | ||||
| CVE-2021-26072 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | 4.3 Medium |
| The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. | ||||
| CVE-2021-25972 | 1 Tuzitio | 1 Camaleon Cms | 2024-11-21 | 4.9 Medium |
| In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server. | ||||
| CVE-2021-25939 | 1 Arangodb | 1 Arangodb | 2024-11-21 | 2.7 Low |
| In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost. | ||||
| CVE-2021-25640 | 1 Apache | 1 Dubbo | 2024-11-21 | 6.1 Medium |
| In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. | ||||
| CVE-2021-25241 | 2 Microsoft, Trendmicro | 3 Windows, Apex One, Worry-free Business Security | 2024-11-21 | 5.3 Medium |
| A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a sweep. | ||||
| CVE-2021-25236 | 2 Microsoft, Trendmicro | 3 Windows, Officescan, Worry-free Business Security | 2024-11-21 | 5.3 Medium |
| A server-side request forgery (SSRF) information disclosure vulnerability in Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to locate online agents via a specific sweep. | ||||
| CVE-2021-24472 | 1 Qantumthemes | 2 Kentharadio, Onair2 | 2024-11-21 | 9.8 Critical |
| The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website. | ||||