Total
1490 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23955 | 1 Broadcom | 2 Advanced Secure Gateway, Content Analysis | 2025-01-09 | N/A | 8.1 HIGH |
| Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Server-Side Request Forgery vulnerability. | |||||
| CVE-2024-13195 | 2025-01-09 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in donglight bookstore电商书城系统说明 1.0.0. It has been classified as critical. This affects the function getHtml of the file src/main/java/org/zdd/bookstore/rawl/HttpUtil.java. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-53705 | 2025-01-09 | N/A | 7.5 HIGH | ||
| A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. | |||||
| CVE-2025-22215 | 2025-01-08 | N/A | 4.3 MEDIUM | ||
| VMware Aria Automation contains a server-side request forgery (SSRF) vulnerability. A malicious actor with "Organization Member" access to Aria Automation may exploit this vulnerability enumerate internal services running on the host/network. | |||||
| CVE-2024-54819 | 2025-01-08 | N/A | 9.1 CRITICAL | ||
| I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.php | |||||
| CVE-2024-56279 | 2025-01-07 | N/A | 6.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Tips and Tricks HQ Compact WP Audio Player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through 1.9.14. | |||||
| CVE-2024-56275 | 2025-01-07 | N/A | 4.1 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14. | |||||
| CVE-2023-34959 | 1 Chamilo | 1 Chamilo Lms | 2025-01-06 | N/A | 5.3 MEDIUM |
| An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools. | |||||
| CVE-2023-32750 | 1 Pydio | 1 Cells | 2025-01-06 | N/A | 6.5 MEDIUM |
| Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells. | |||||
| CVE-2024-13032 | 1 Antabot | 1 White-jotter | 2025-01-06 | 3.3 LOW | 2.7 LOW |
| A vulnerability classified as problematic was found in Antabot White-Jotter up to 0.2.2. Affected by this vulnerability is an unknown functionality of the file /admin/content/editor of the component Article Editor. The manipulation of the argument articleCover leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-12237 | 2025-01-03 | N/A | 4.3 MEDIUM | ||
| The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services. | |||||
| CVE-2024-9710 | 1 Posthog | 1 Posthog | 2025-01-03 | N/A | 8.3 HIGH |
| PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25351. | |||||
| CVE-2024-12801 | 2025-01-03 | N/A | N/A | ||
| Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. | |||||
| CVE-2024-29029 | 1 Usememos | 1 Memos | 2025-01-02 | N/A | 6.1 MEDIUM |
| memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file. | |||||
| CVE-2024-55082 | 2025-01-02 | N/A | 7.5 HIGH | ||
| A Server-Side Request Forgery (SSRF) in the endpoint http://{your-server}/url-to-pdf of Stirling-PDF 0.35.1 allows attackers to access sensitive information via a crafted request. | |||||
| CVE-2023-28288 | 1 Microsoft | 2 Sharepoint Foundation, Sharepoint Server | 2025-01-01 | N/A | 8.1 HIGH |
| Microsoft SharePoint Server Spoofing Vulnerability | |||||
| CVE-2024-38183 | 1 Microsoft | 1 Groupme | 2024-12-31 | N/A | 9.8 CRITICAL |
| An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network. | |||||
| CVE-2024-0403 | 1 Tandoor | 1 Recipes | 2024-12-31 | N/A | 5.3 MEDIUM |
| Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. This is possible because the application is vulnerable to SSRF. | |||||
| CVE-2024-56800 | 2024-12-30 | N/A | 7.4 HIGH | ||
| Firecrawl is a web scraper that allows users to extract the content of a webpage for a large language model. Versions prior to 1.1.1 contain a server-side request forgery (SSRF) vulnerability. The scraping engine could be exploited by crafting a malicious site that redirects to a local IP address. This allowed exfiltration of local network resources through the API. The cloud service was patched on December 27th, 2024, and the maintainers have checked that no user data was exposed by this vulnerability. Scraping engines used in the open sourced version of Firecrawl were patched on December 29th, 2024, except for the playwright services which the maintainers have determined to be un-patchable. All users of open-source software (OSS) Firecrawl should upgrade to v1.1.1. As a workaround, OSS Firecrawl users should supply the playwright services with a secure proxy. A proxy can be specified through the `PROXY_SERVER` env in the environment variables. Please refer to the documentation for instructions. Ensure that the proxy server one is using is setup to block all traffic going to link-local IP addresses. | |||||
| CVE-2024-10044 | 2024-12-30 | N/A | 9.3 CRITICAL | ||
| A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint. | |||||