CWE:
 

Tytuł
Data
Autor
Low
SAP Enterprise Portal iviewCatcherEditor Server-Side Request Forgery
27.01.2022
Yvan Genuer
Med.
OX App Suite / OX Guard / OX Documents SSRF / Cross Site Scripting
17.07.2021
Martin Heiland
Med.
Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery
17.09.2020
Julien Ahrens
Low
OX App Suite / OX Documents 7.10.3 XSS / SSRF / Improper Validation
16.06.2020
Martin Heiland
High
Fortify SSC 17.10 / 17.20 / 18.10 XXE Injection
14.07.2018
Alt3kx
Low
SPIP 3.1.2 Server Side Request Forgery
20.10.2016
Nicolas CHATELAIN
Low
Google Docs XSPA / SSRF
10.09.2016
Ashiyane Digital Secur...
Low
Infoware MapSuite Server-Side Request Forgery
04.06.2014
Christian


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2022-08-12
Waiting for details
CVE-2022-35949

Updating...
 

 
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

 
2022-08-10
Waiting for details
CVE-2022-2756

Updating...
 

 
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.

 
2022-08-04
Waiting for details
CVE-2022-31132

Updating...
 

 
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users unable to upgrade may manually delete the file located at `./vendor/cerdic/css-tidy/css_optimiser.php`

 
2022-08-01
Waiting for details
CVE-2022-31188

Updating...
 

 
CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.

 
2022-07-07
Medium
CVE-2022-2339

Vendor: Xgenecloud
Software: Nocodb
 

 
With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. This attack can lead to leak of sensitive information.

 
2022-06-28
Waiting for details
CVE-2022-0085

Updating...
 

 
Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

 
2022-06-27
Waiting for details
CVE-2022-2216

Updating...
 

 
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

 
2022-06-24
Low
CVE-2021-20544

Updating...
 

 
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198931.

 
Low
CVE-2021-20421

Updating...
 

 
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

 
2022-06-23
Low
CVE-2022-34011

Vendor: ZHYD
Software: Oneblog
 

 
OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top