Total
642 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-11149 | 1 Synology | 1 Download Station | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI. | |||||
| CVE-2017-15886 | 1 Synology | 1 Chat | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI. | |||||
| CVE-2017-7553 | 1 Redhat | 1 Mobile Application Platform | 2025-04-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| The external_request api call in App Studio (millicore) allows server side request forgery (SSRF). An attacker could use this flaw to probe the network internal resources, and access restricted endpoints. | |||||
| CVE-2017-15943 | 1 Paloaltonetworks | 1 Pan-os | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| The configuration file import for applications, spyware and vulnerability objects functionality in the web interface in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, and 7.1.x before 7.1.14 allows remote attackers to conduct server-side request forgery (SSRF) attacks and consequently obtain sensitive information via vectors related to parsing of external entities. | |||||
| CVE-2017-12071 | 1 Synology | 1 Photo Station | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter. | |||||
| CVE-2017-9506 | 1 Atlassian | 1 Oauth | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). | |||||
| CVE-2017-3546 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | |||||
| CVE-2017-9307 | 1 Allen Disk Project | 1 Allen Disk | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter. | |||||
| CVE-2017-11148 | 1 Synology | 1 Chat | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
| CVE-2017-6036 | 1 Belden Hirschmann | 2 Gecko Lite Managed Switch, Gecko Lite Managed Switch Firmware | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Server-Side Request Forgery issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. The web server receives a request, but does not sufficiently verify that the request is being sent to the expected destination. | |||||
| CVE-2017-7200 | 1 Openstack | 1 Glance | 2025-04-20 | 5.0 MEDIUM | 5.8 MEDIUM |
| An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service. | |||||
| CVE-2024-48107 | 1 Sparkshop | 1 Sparkshop | 2025-04-18 | N/A | 6.5 MEDIUM |
| SparkShop <=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server. | |||||
| CVE-2025-26990 | 2025-04-15 | N/A | 4.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in WP Royal Royal Elementor Addons allows Server Side Request Forgery. This issue affects Royal Elementor Addons: from n/a through 1.7.1006. | |||||
| CVE-2025-29720 | 2025-04-15 | N/A | 4.8 MEDIUM | ||
| Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. | |||||
| CVE-2025-30964 | 2025-04-15 | N/A | 5.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in EPC Photography. This issue affects Photography: from n/a through 7.5.2. | |||||
| CVE-2025-32358 | 1 Zammad | 1 Zammad | 2025-04-15 | N/A | 4.0 MEDIUM |
| In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This could be abused by an attacker to cause GET requests for example in the local network. | |||||
| CVE-2025-31824 | 2025-04-15 | N/A | 5.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Wombat Plugins WP Optin Wheel allows Server Side Request Forgery. This issue affects WP Optin Wheel: from n/a through 1.4.7. | |||||
| CVE-2016-3718 | 6 Canonical, Imagemagick, Opensuse and 3 more | 30 Ubuntu Linux, Imagemagick, Leap and 27 more | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. | |||||
| CVE-2016-5968 | 1 Ibm | 1 Tealeaf Customer Experience | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Replay Server in IBM Tealeaf Customer Experience 8.x before 8.7.1.8847 FP10, 8.8.x before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108 FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224 FP3 allows remote attackers to conduct SSRF attacks via unspecified vectors. | |||||
| CVE-2016-4046 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 5.0 MEDIUM | 5.8 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existence of hosts and services can be gathered. Attackers can get internal configuration information about the infrastructure of an operator to prepare subsequent attacks. | |||||