Total
1549 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28360 | 1 Private-ip Project | 1 Private-ip | 2024-11-21 | 9.8 Critical |
| Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques. | ||||
| CVE-2020-28168 | 2 Axios, Siemens | 2 Axios, Sinec Ins | 2024-11-21 | 5.9 Medium |
| Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. | ||||
| CVE-2020-28043 | 1 Misp | 1 Misp | 2024-11-21 | 7.5 High |
| MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL. | ||||
| CVE-2020-27626 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 5.3 Medium |
| JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. | ||||
| CVE-2020-27624 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 5.3 Medium |
| JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. | ||||
| CVE-2020-27375 | 1 Drtrustusa | 2 Icheck Connect Bp Monitor Bp Testing 118, Icheck Connect Bp Monitor Bp Testing 118 Firmware | 2024-11-21 | 6.5 Medium |
| Dr Trust USA iCheck Connect BP Monitor BP Testing 118 version 1.2.1 is vulnerable to Transmitting Write Requests and Chars. | ||||
| CVE-2020-27197 | 2 Eclecticiq, Libtaxii Project | 2 Opentaxii, Libtaxii | 2024-11-21 | 9.8 Critical |
| TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library" and that this may be an issue to "raise ... to the lxml group. | ||||
| CVE-2020-27018 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2024-11-21 | 5.5 Medium |
| Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's web server and grant access to web resources or parts of local files. An attacker must already have obtained authenticated privileges on the product to exploit this vulnerability. | ||||
| CVE-2020-26948 | 1 Emby | 1 Emby | 2024-11-21 | 9.8 Critical |
| Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter. | ||||
| CVE-2020-26815 | 1 Sap | 1 Fiori Launchpad \(news Tile Application\) | 2024-11-21 | 8.6 High |
| SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network to retrieve sensitive / confidential resources which are otherwise restricted for internal usage only, resulting in a Server-Side Request Forgery vulnerability. | ||||
| CVE-2020-26811 | 1 Sap | 1 Commerce Cloud \(accelerator Payment Mock\) | 2024-11-21 | 5.3 Medium |
| SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability. | ||||
| CVE-2020-26032 | 1 Zammad | 1 Zammad | 2024-11-21 | 7.5 High |
| An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. | ||||
| CVE-2020-25820 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 6.5 Medium |
| BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | ||||
| CVE-2020-25466 | 1 Crmeb | 1 Crmeb | 2024-11-21 | 9.8 Critical |
| A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code. | ||||
| CVE-2020-25353 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 6.5 Medium |
| A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. | ||||
| CVE-2020-24898 | 1 Stiltsoft | 1 Table Filter And Charts For Confluence Server | 2024-11-21 | 7.6 High |
| The Table Filter and Charts for Confluence Server app before 5.3.26 (for Atlassian Confluence) allows SSRF via the "Table from CSV" macro (URL parameter). | ||||
| CVE-2020-24881 | 1 Osticket | 1 Osticket | 2024-11-21 | 9.8 Critical |
| SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. | ||||
| CVE-2020-24815 | 1 Microstrategy | 1 Microstrategy | 2024-11-21 | 6.5 Medium |
| A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020. | ||||
| CVE-2020-24710 | 1 Getgophish | 1 Gophish | 2024-11-21 | 5.3 Medium |
| Gophish before 0.11.0 allows SSRF attacks. | ||||
| CVE-2020-24700 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.4 Medium |
| OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring. | ||||