Total
1547 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-14170 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 4.3 Medium |
| Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. | ||||
| CVE-2020-14160 | 1 Thecodingmachine | 1 Gotenberg | 2024-11-21 | 7.5 High |
| An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources. | ||||
| CVE-2020-14056 | 1 Monstaftp | 1 Monsta Ftp | 2024-11-21 | 9.8 Critical |
| Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files and interact with arbitrary third-party services. | ||||
| CVE-2020-14044 | 1 Codiad | 1 Codiad | 2024-11-21 | 7.2 High |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8 and later. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | ||||
| CVE-2020-14023 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 4.9 Medium |
| Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS. | ||||
| CVE-2020-13970 | 1 Shopware | 1 Shopware | 2024-11-21 | 8.8 High |
| Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server. | ||||
| CVE-2020-13788 | 1 Linuxfoundation | 1 Harbor | 2024-11-21 | 4.3 Medium |
| Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet. | ||||
| CVE-2020-13650 | 1 Digdash | 1 Digdash | 2024-11-21 | 7.5 High |
| An issue was discovered in DigDash 2018R2 before p20200210 and 2019R1 before p20200210. The login page is vulnerable to Server-Side Request Forgery (SSRF) that allows use of the application as a proxy. Sent to an external server, a forged request discloses application credentials. For a request to an internal component, the request is blind, but through the error message it's possible to determine whether the request targeted a open service. | ||||
| CVE-2020-13484 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-21 | 9.8 Critical |
| Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter, if the destination URL hosts an HTML document containing '<meta name="og:image" content="' followed by an intranet URL. | ||||
| CVE-2020-13379 | 5 Fedoraproject, Grafana, Netapp and 2 more | 11 Fedora, Grafana, E-series Performance Analyzer and 8 more | 2024-11-21 | 8.2 High |
| The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. | ||||
| CVE-2020-13309 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.4 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. | ||||
| CVE-2020-13295 | 1 Gitlab | 1 Runner | 2024-11-21 | 5.4 Medium |
| For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF. | ||||
| CVE-2020-13286 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.4 Medium |
| For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery. | ||||
| CVE-2020-13226 | 1 Wso2 | 1 Api Manager | 2024-11-21 | 9.8 Critical |
| WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet. | ||||
| CVE-2020-12725 | 1 Redash | 1 Redash | 2024-11-21 | 7.2 High |
| Havoc Research discovered an authenticated Server-Side Request Forgery (SSRF) via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding headers, selecting any HTTP verb, etc. | ||||
| CVE-2020-12695 | 22 Asus, Broadcom, Canon and 19 more | 218 Rt-n11, Adsl, Selphy Cp1200 and 215 more | 2024-11-21 | 7.5 High |
| The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. | ||||
| CVE-2020-12644 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.0 Medium |
| OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API. | ||||
| CVE-2020-12529 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 5.8 Medium |
| An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports. | ||||
| CVE-2020-11988 | 3 Apache, Fedoraproject, Redhat | 5 Xmlgraphics Commons, Fedora, Jboss Enterprise Bpms Platform and 2 more | 2024-11-21 | 8.2 High |
| Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later. | ||||
| CVE-2020-11987 | 5 Apache, Debian, Fedoraproject and 2 more | 23 Batik, Debian Linux, Fedora and 20 more | 2024-11-21 | 8.2 High |
| Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | ||||