Total
1488 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-3774 | 1 Url-parse Project | 1 Url-parse | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol. | |||||
| CVE-2018-2463 | 1 Sap | 1 Hybris | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6.*, is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC. | |||||
| CVE-2018-2445 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | 5.5 MEDIUM | 9.6 CRITICAL |
| AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2018-2370 | 1 Sap | 1 Bi Launchpad | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Server Side Request Forgery (SSRF) vulnerability in SAP Central Management Console, BI Launchpad and Fiori BI Launchpad, 4.10, from 4.20, from 4.30, could allow a malicious user to use common techniques to determine which ports are in use on the backend server. | |||||
| CVE-2018-25031 | 1 Smartbear | 1 Swagger Ui | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others. | |||||
| CVE-2018-20596 | 1 Jspxcms | 1 Jspxcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Jspxcms v9.0.0 allows SSRF. | |||||
| CVE-2018-20528 | 1 Jeecms | 1 Jeecms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| JEECMS 9 has SSRF via the ueditor/getRemoteImage.jspx upfile parameter. | |||||
| CVE-2018-20499 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.4 MEDIUM | 7.2 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | |||||
| CVE-2018-20497 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 5.0 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | |||||
| CVE-2018-20436 | 1 Telegram | 2 Telegram, Web | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The "secret chat" feature in Telegram 4.9.1 for Android has a "side channel" in which Telegram servers send GET requests for URLs typed while composing a chat message, before that chat message is sent. There are also GET requests to other URLs on the same web server. This also affects one or more other Telegram products, such as Telegram Web-version 0.7.0. In addition, it can be interpreted as an SSRF issue. NOTE: a third party has reported that potentially unwanted behavior is caused by misconfiguration of the "Secret chats > Preview links" setting | |||||
| CVE-2018-20228 | 1 Subsonic | 1 Subsonic | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. | |||||
| CVE-2018-1789 | 1 Ibm | 1 Api Connect | 2024-11-21 | 6.5 MEDIUM | 8.4 HIGH |
| IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a server side request forgery attack. IBM X-Force ID: 148939. | |||||
| CVE-2018-1042 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Moodle 3.x has Server Side Request Forgery in the filepicker. | |||||
| CVE-2018-19651 | 1 Interspire | 1 Email Marketer | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| admin/functions/remote.php in Interspire Email Marketer through 6.1.6 has Server Side Request Forgery (SSRF) via a what=importurl&url= request with an http or https URL. This also allows reading local files with a file: URL. | |||||
| CVE-2018-19601 | 1 Rhymix | 1 Rhymix | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
| Rhymix CMS 1.9.8.1 allows SSRF via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload. | |||||
| CVE-2018-19571 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
| GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks. | |||||
| CVE-2018-19495 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an SSRF vulnerability in the Prometheus integration. | |||||
| CVE-2018-19047 | 1 Mpdf Project | 1 Mpdf | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble. | |||||
| CVE-2018-1999039 | 1 Jenkins | 1 Confluence Publisher | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials. | |||||
| CVE-2018-1999026 | 1 Jenkins | 1 Tracetronic Ecu-test | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host. | |||||