Total
1522 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31188 | 1 Cvat | 1 Cvat | 2024-11-21 | N/A | 8.6 HIGH |
| CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31132 | 1 Nextcloud | 1 Mail | 2024-11-21 | N/A | 8.3 HIGH |
| Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php` | |||||
| CVE-2022-30579 | 1 Tibco | 2 Spotfire Analytics Platform, Spotfire Server | 2024-11-21 | N/A | 7.1 HIGH |
| The Web Player component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to execute blind Server Side Request Forgery (SSRF) on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 12.0.0 and TIBCO Spotfire Server: version 12.0.0. | |||||
| CVE-2022-30049 | 1 Ruifang-tech | 1 Rebuild | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. | |||||
| CVE-2022-2912 | 1 Craw-data Project | 1 Craw-data | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF). | |||||
| CVE-2022-2900 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | N/A | 9.1 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0. | |||||
| CVE-2022-2756 | 1 Kavitareader | 1 Kavita | 2024-11-21 | N/A | 6.5 MEDIUM |
| Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. | |||||
| CVE-2022-2556 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-11-21 | N/A | 2.7 LOW |
| The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | |||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2024-11-21 | N/A | 5.5 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | |||||
| CVE-2022-2352 | 1 Wpexperts | 1 Post Smtp | 2024-11-21 | N/A | 7.2 HIGH |
| The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. | |||||
| CVE-2022-2339 | 1 Xgenecloud | 1 Nocodb | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. This attack can lead to leak of sensitive information. | |||||
| CVE-2022-2267 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has an AJAX action that allows any logged in users (such as subscriber) to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | |||||
| CVE-2022-2216 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0. | |||||
| CVE-2022-29942 | 1 Talend | 1 Administration Center | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | |||||
| CVE-2022-29848 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attributes from a host that is accessible by the WhatsUp Gold system. | |||||
| CVE-2022-29847 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host. | |||||
| CVE-2022-29840 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | N/A | 5.1 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. This could allow the URL to exploit other vulnerabilities on the local server.This issue affects My Cloud OS 5 devices before 5.26.202. | |||||
| CVE-2022-29612 | 1 Sap | 2 Host Agent, Netweaver Abap | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application. | |||||
| CVE-2022-29556 | 1 Northern.tech | 1 Mender | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints. | |||||
| CVE-2022-29188 | 1 Stripe | 1 Smokescreen | 2024-11-21 | 6.4 MEDIUM | 5.3 MEDIUM |
| Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). This only impacted the HTTP proxy functionality of Smokescreen. HTTPS requests were not impacted. Smokescreen version 0.0.4 contains a patch for this issue. | |||||