Total
1655 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28090 | 1 Ujcms | 1 Jspxcms | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=. | |||||
| CVE-2022-27907 | 1 Sonatype | 1 Nexus Repository Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF. | |||||
| CVE-2022-27780 | 3 Haxx, Netapp, Splunk | 15 Curl, Clustered Data Ontap, H300s and 12 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more. | |||||
| CVE-2022-27469 | 1 Monstaftp | 1 Monsta Ftp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF). | |||||
| CVE-2022-27429 | 1 Jizhicms | 1 Jizhicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html. | |||||
| CVE-2022-27426 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file. | |||||
| CVE-2022-27311 | 1 Gibbon Project | 1 Gibbon | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. | |||||
| CVE-2022-27245 | 1 Misp | 1 Misp | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||||
| CVE-2022-27234 | 1 Intel | 1 Computer Vision Annotation Tool | 2024-11-21 | N/A | 4.3 MEDIUM |
| Server-side request forgery in the CVAT software maintained by Intel(R) before version 2.0.1 may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2022-26499 | 2 Debian, Digium | 2 Debian Linux, Asterisk | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2. | |||||
| CVE-2022-26135 | 1 Atlassian | 4 Jira Data Center, Jira Server, Jira Service Desk and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4. | |||||
| CVE-2022-25876 | 1 Link-preview-js Project | 1 Link-preview-js | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
| The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection. | |||||
| CVE-2022-25850 | 1 Proxyscotch Project | 1 Proxyscotch | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server. | |||||
| CVE-2022-25801 | 1 Bestpractical | 1 Request Tracker For Incident Response | 2024-11-21 | N/A | 9.1 CRITICAL |
| Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via Scripted Action tools. | |||||
| CVE-2022-25800 | 1 Bestpractical | 1 Request Tracker For Incident Response | 2024-11-21 | N/A | 9.1 CRITICAL |
| Best Practical RT for Incident Response (RTIR) before 4.0.3 and 5.x before 5.0.3 allows SSRF via the whois lookup tool. | |||||
| CVE-2022-25260 | 1 Jetbrains | 1 Hub | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). | |||||
| CVE-2022-24980 | 1 Kitodo | 1 Kitodo.presentation | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to. | |||||
| CVE-2022-24969 | 1 Apache | 1 Dubbo | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. | |||||
| CVE-2022-24871 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.5 MEDIUM | 7.2 HIGH |
| Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. | |||||
| CVE-2022-24862 | 1 Databasir Project | 1 Databasir | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
| Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Server-Side Request Forgery vulnerability. During the download verification process of a JDBC driver the corresponding JDBC driver download address will be downloaded first, but this address will return a response page with complete error information when accessing a non-existent URL. Attackers can take advantage of this feature for SSRF. | |||||