Total
2140 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-31776 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | 8.8 High |
| IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433. | ||||
| CVE-2022-31393 | 1 Jizhicms | 1 Jizhicms | 2024-11-21 | 9.1 Critical |
| Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. | ||||
| CVE-2022-31390 | 1 Jizhicms | 1 Jizhicms | 2024-11-21 | 9.1 Critical |
| Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. | ||||
| CVE-2022-31386 | 1 Nbnbk Project | 1 Nbnbk | 2024-11-21 | 9.1 Critical |
| A Server-Side Request Forgery (SSRF) in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter. | ||||
| CVE-2022-30049 | 1 Ruifang-tech | 1 Rebuild | 2024-11-21 | 7.5 High |
| A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. | ||||
| CVE-2022-2900 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | 9.1 Critical |
| Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0. | ||||
| CVE-2022-2756 | 1 Kavitareader | 1 Kavita | 2024-11-21 | 6.5 Medium |
| Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. | ||||
| CVE-2022-2556 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-11-21 | 2.7 Low |
| The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | ||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.5 Medium |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | ||||
| CVE-2022-2267 | 1 Mailchimp | 1 Mailchimp For Woocommerce | 2024-11-21 | 4.3 Medium |
| The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has an AJAX action that allows any logged in users (such as subscriber) to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example | ||||
| CVE-2022-2216 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | 9.8 Critical |
| Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0. | ||||
| CVE-2022-29942 | 1 Talend | 1 Administration Center | 2024-11-21 | 6.5 Medium |
| Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | ||||
| CVE-2022-29848 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 6.5 Medium |
| In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attributes from a host that is accessible by the WhatsUp Gold system. | ||||
| CVE-2022-29847 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 High |
| In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host. | ||||
| CVE-2022-29612 | 1 Sap | 2 Host Agent, Netweaver Abap | 2024-11-21 | 4.3 Medium |
| SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application. | ||||
| CVE-2022-29556 | 1 Northern.tech | 1 Mender | 2024-11-21 | 9.8 Critical |
| The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints. | ||||
| CVE-2022-29153 | 2 Fedoraproject, Hashicorp | 2 Fedora, Consul | 2024-11-21 | 7.5 High |
| HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. | ||||
| CVE-2022-28997 | 1 Cszcms | 1 Cszcms | 2024-11-21 | 7.5 High |
| CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/. | ||||
| CVE-2022-28616 | 1 Hp | 1 Oneview | 2024-11-21 | 9.8 Critical |
| A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView. | ||||
| CVE-2022-28217 | 1 Sap | 1 Netweaver | 2024-11-21 | 6.5 Medium |
| Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by causing system to crash. | ||||