Total
1819 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-52594 | 2025-01-16 | N/A | 4.3 MEDIUM | ||
| Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unable to upgrade should use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access. | |||||
| CVE-2024-1568 | 1 S-sols | 1 Seraphinite Accelerator | 2025-01-16 | N/A | 6.4 MEDIUM |
| The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2025-22346 | 2025-01-15 | N/A | 6.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Faizaan Gagan Course Migration for LearnDash allows Server Side Request Forgery.This issue affects Course Migration for LearnDash: from 1.0.2 through n/a. | |||||
| CVE-2023-6805 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2025-01-14 | N/A | 6.4 MEDIUM |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to modify information from internal services. NOTE: This vulnerability, exploitable by contributor-level users, was was fixed in version 4.4.7. The same vulnerability was fixed for author-level users in version 4.4.8. | |||||
| CVE-2022-27622 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A | 4.1 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
| CVE-2025-0474 | 2025-01-14 | N/A | 7.7 HIGH | ||
| Invoice Ninja is vulnerable to authenticated Server-Side Request Forgery (SSRF) allowing for arbitrary file read and network resource requests as the application user. This issue affects Invoice Ninja: from 5.8.56 through 5.11.23. | |||||
| CVE-2024-13139 | 1 Wangl1989 | 1 Mysiteforme | 2025-01-10 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in wangl1989 mysiteforme 1.0. It has been rated as critical. This issue affects the function doContent of the file src/main/java/com/mysiteform/admin/controller/system/FileController. The manipulation of the argument content leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-4404 | 1 Wpmet | 1 Elementskit | 2025-01-10 | N/A | 8.5 HIGH |
| The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2023-28824 | 1 Contec | 1 Conprosys Hmi System | 2025-01-09 | N/A | 4.9 MEDIUM |
| Server-side request forgery vulnerability exists in CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may bypass the database restriction set on the query setting page, and connect to a user unintended database. | |||||
| CVE-2023-23955 | 1 Broadcom | 2 Advanced Secure Gateway, Content Analysis | 2025-01-09 | N/A | 8.1 HIGH |
| Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Server-Side Request Forgery vulnerability. | |||||
| CVE-2024-53705 | 2025-01-09 | N/A | 7.5 HIGH | ||
| A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. | |||||
| CVE-2025-22215 | 2025-01-08 | N/A | 4.3 MEDIUM | ||
| VMware Aria Automation contains a server-side request forgery (SSRF) vulnerability. A malicious actor with "Organization Member" access to Aria Automation may exploit this vulnerability enumerate internal services running on the host/network. | |||||
| CVE-2024-54819 | 2025-01-08 | N/A | 9.1 CRITICAL | ||
| I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.php | |||||
| CVE-2024-56279 | 2025-01-07 | N/A | 6.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Tips and Tricks HQ Compact WP Audio Player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through 1.9.14. | |||||
| CVE-2024-56275 | 2025-01-07 | N/A | 4.1 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14. | |||||
| CVE-2023-34959 | 1 Chamilo | 1 Chamilo Lms | 2025-01-06 | N/A | 5.3 MEDIUM |
| An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools. | |||||
| CVE-2023-32750 | 1 Pydio | 1 Cells | 2025-01-06 | N/A | 6.5 MEDIUM |
| Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells. | |||||
| CVE-2024-13032 | 1 Antabot | 1 White-jotter | 2025-01-06 | 3.3 LOW | 2.7 LOW |
| A vulnerability classified as problematic was found in Antabot White-Jotter up to 0.2.2. Affected by this vulnerability is an unknown functionality of the file /admin/content/editor of the component Article Editor. The manipulation of the argument articleCover leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-12237 | 2025-01-03 | N/A | 4.3 MEDIUM | ||
| The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services. | |||||
| CVE-2024-9710 | 1 Posthog | 1 Posthog | 2025-01-03 | N/A | 8.3 HIGH |
| PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25351. | |||||