Total
1899 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-31979 | 1 Apache | 1 Streampipes | 2024-11-21 | 4.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. | ||||
| CVE-2024-31897 | 1 Ibm | 1 Cloud Pak For Business Automation | 2024-11-21 | 4.3 Medium |
| IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2, 23.0.1, and 23.0.2 vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 288178. | ||||
| CVE-2024-31288 | 1 Rapidload | 1 Power-up For Autoptimize | 2024-11-21 | 7.2 High |
| Server-Side Request Forgery (SSRF) vulnerability in RapidLoad RapidLoad Power-Up for Autoptimize.This issue affects RapidLoad Power-Up for Autoptimize: from n/a through 2.2.11. | ||||
| CVE-2024-31229 | 1 Really-simple-plugins | 1 Complianz | 2024-11-21 | 5.5 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Really Simple Plugins Really Simple SSL.This issue affects Really Simple SSL: from n/a through 7.2.3. | ||||
| CVE-2024-30532 | 2024-11-21 | 4.9 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in Builderall Team Builderall Builder for WordPress.This issue affects Builderall Builder for WordPress: from n/a through 2.0.1. | ||||
| CVE-2024-2796 | 1 Akana | 1 Akana Api Platform | 2024-11-21 | 9.3 Critical |
| A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson. | ||||
| CVE-2024-2057 | 2024-11-21 | 6.3 Medium | ||
| A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.27 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-255372. | ||||
| CVE-2024-29736 | 2 Apache, Redhat | 3 Cxf, Apache-camel-spring-boot, Apache Camel Spring Boot | 2024-11-21 | 7.5 High |
| A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured. | ||||
| CVE-2024-29319 | 1 Personal-management-system | 1 Personal Management System | 2024-11-21 | 9.8 Critical |
| Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls. | ||||
| CVE-2024-27707 | 2024-11-21 | 4.3 Medium | ||
| Server Side Request Forgery (SSRF) vulnerability in hcengineering Huly Platform v.0.6.202 allows attackers to run arbitrary code via upload of crafted SVG file. | ||||
| CVE-2024-27620 | 1 Everywall | 1 Ladder | 2024-11-21 | 7.5 High |
| An issue in Ladder v.0.0.1 thru v.0.0.21 allows a remote attacker to obtain sensitive information via a crafted request to the API. | ||||
| CVE-2024-24829 | 1 Sentry | 1 Sentry | 2024-11-21 | 4.3 Medium |
| Sentry is an error tracking and performance monitoring platform. Sentry’s integration platform provides a way for external services to interact with Sentry. One of such integrations, the Phabricator integration (maintained by Sentry) with version <=24.1.1 contains a constrained SSRF vulnerability. An attacker could make Sentry send POST HTTP requests to arbitrary URLs (including internal IP addresses) by providing an unsanitized input to the Phabricator integration. However, the body payload is constrained to a specific format. If an attacker has access to a Sentry instance, this allows them to: 1. interact with internal network; 2. scan local/remote ports. This issue has been fixed in Sentry self-hosted release 24.1.2, and has already been mitigated on sentry.io on February 8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-23838 | 1 Truelayer | 1 Truelayer.net | 2024-11-21 | 7.5 High |
| TrueLayer.NET is the .Net client for TrueLayer. The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For applications using the SDK, requests to unexpected resources on local networks or to the internet could be made which could lead to information disclosure. The issue can be mitigated by having strict egress rules limiting the destinations to which requests can be made, and applying strict validation to any user input passed to the `truelayer-dotnet` library. Versions of TrueLayer.Client `v1.6.0` and later are not affected. | ||||
| CVE-2024-23761 | 1 Gambio | 1 Gambio | 2024-11-21 | 9.8 Critical |
| Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template. | ||||
| CVE-2024-22329 | 1 Ibm | 2 Websphere Application Server, Websphere Application Server Liberty | 2024-11-21 | 4.3 Medium |
| IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID: 279951. | ||||
| CVE-2024-22203 | 1 Benbusby | 1 Whoogle Search | 2024-11-21 | 9.1 Critical |
| Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a GET request on lines 339-343 in `request.py`, which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4. | ||||
| CVE-2024-22134 | 1 Renzojohnson | 1 Contact Form 7 Extension For Mailchimp | 2024-11-21 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through 0.5.70. | ||||
| CVE-2024-21527 | 2024-11-21 | 8.2 High | ||
| Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. Workaround An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags. | ||||
| CVE-2024-20404 | 1 Cisco | 1 Finesse | 2024-11-21 | 7.2 High |
| A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct an SSRF attack on an affected system. This vulnerability is due to insufficient validation of user-supplied input for specific HTTP requests that are sent to an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain limited sensitive information for services that are associated to the affected device. | ||||
| CVE-2024-0945 | 1 60indexpage Project | 1 60indexpage | 2024-11-21 | 7.3 High |
| A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5. This affects an unknown part of the file /include/file.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252189 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||