VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 34 of 80
  • CVE-2024-32803MedApr 24, 2024
    risk 0.42cvss 6.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in 2day.Sk, Webikon SuperFaktura WooCommerce.This issue affects SuperFaktura WooCommerce: from n/a through 1.40.3.

  • CVE-2023-40148MedApr 10, 2024
    risk 0.42cvss 6.5epss 0.00

    Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests.

  • CVE-2024-2343MedApr 9, 2024
    risk 0.42cvss 6.4epss 0.01

    The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the form_to_url_action function. This makes it possible for authenticated attackers, with contributor-level…

  • CVE-2024-24888MedApr 2, 2024
    risk 0.42cvss 6.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in StellarWP Gutenberg Blocks by Kadence Blocks kadence-blocks.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through <= 3.2.25.

  • CVE-2024-29190HigMar 22, 2024
    risk 0.42cvss 7.5epss 0.01

    Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`,…

  • CVE-2024-23838HigJan 30, 2024
    risk 0.42cvss 7.5epss 0.01

    TrueLayer.NET is the .Net client for TrueLayer. The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For applications using the SDK, requests to unexpected resources on local networks or…

  • CVE-2024-21642HigJan 5, 2024
    risk 0.42cvss 7.5epss 0.01

    D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the…

  • CVE-2023-7078HigDec 29, 2023
    risk 0.42cvss 7.5epss 0.01

    Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the…

  • CVE-2023-49799HigDec 9, 2023
    risk 0.42cvss 7.5epss 0.01

    `nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular…

  • CVE-2023-41239MedNov 13, 2023
    risk 0.42cvss 6.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry.This issue affects PowerPress Podcasting plugin by Blubrry: from n/a through 11.0.6.

  • CVE-2023-32786HigOct 20, 2023
    risk 0.42cvss 7.5epss 0.01

    In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

  • CVE-2023-42439HigSep 15, 2023
    risk 0.42cvss 7.5epss 0.01

    GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. A SSRF vulnerability exists starting in version 3.2.0, bypassing existing controls on the software. This can allow a user to request internal services for a full…

  • CVE-2023-4893MedSep 12, 2023
    risk 0.42cvss 6.4epss 0.00

    The Crayon Syntax Highlighter plugin for WordPress is vulnerable to Server Side Request Forgery via the 'crayon' shortcode in versions up to, and including, 2.8.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to…

  • CVE-2023-40017HigAug 24, 2023
    risk 0.42cvss 7.5epss 0.01

    GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan…

  • CVE-2022-4492HigFeb 23, 2023
    risk 0.42cvss 7.5epss 0.01

    The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

  • CVE-2022-45085MedFeb 12, 2023
    risk 0.42cvss 6.5epss 0.01

    Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery. This issue affects Smartpower Web: before 23.01.01.

  • CVE-2023-24623HigJan 30, 2023
    risk 0.42cvss 7.5epss 0.01

    Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.

  • CVE-2022-42890HigOct 25, 2022
    risk 0.42cvss 7.5epss 0.02

    A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

  • CVE-2022-41704HigOct 25, 2022
    risk 0.42cvss 7.5epss 0.02

    A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

  • CVE-2022-2062HigJun 13, 2022
    risk 0.42cvss 7.5epss 0.01

    Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.