VYPR

CWE-918

Server-Side Request Forgery (SSRF)

BaseIncomplete

Description

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-664

CVEs mapped to this weakness (1,583)

page 48 of 80
  • CVE-2024-4354MedJun 7, 2024
    risk 0.35cvss 6.4epss 0.00

    The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and…

  • CVE-2024-33634MedApr 29, 2024
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Piotnet Piotnet Addons For Elementor Pro.This issue affects Piotnet Addons For Elementor Pro: from n/a through 7.1.17.

  • CVE-2024-33592MedApr 25, 2024
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73.

  • CVE-2023-6805MedApr 17, 2024
    risk 0.35cvss 6.4epss 0.00

    The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for…

  • CVE-2024-30453MedMar 29, 2024
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5.

  • CVE-2024-27949MedMar 1, 2024
    risk 0.35cvss 5.4epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Sirv CDN and Image Hosting Sirv sirv.This issue affects Sirv: from n/a through <= 7.2.0.

  • CVE-2024-1568MedFeb 28, 2024
    risk 0.35cvss 6.4epss 0.00

    The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make…

  • CVE-2024-1758MedFeb 26, 2024
    risk 0.35cvss 5.4epss 0.01

    The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wc_sf_url_check function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web…

  • CVE-2023-49795MedDec 11, 2023
    risk 0.35cvss 6.5epss 0.00

    MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which…

  • CVE-2023-25753MedOct 19, 2023
    risk 0.35cvss 6.5epss 0.01

    There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular…

  • CVE-2022-41401MedAug 4, 2023
    risk 0.35cvss 6.5epss 0.01

    OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.

  • CVE-2022-38398MedSep 22, 2022
    risk 0.35cvss 5.3epss 0.02

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

  • CVE-2022-1285MedJun 1, 2022
    risk 0.35cvss 6.5epss 0.01

    Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.

  • CVE-2022-0528MedMar 3, 2022
    risk 0.35cvss 6.5epss 0.01

    Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1.

  • CVE-2021-23718MedNov 22, 2021
    risk 0.35cvss 6.5epss 0.02

    The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery (SSRF) via the defaultIpChecker function. It fails to properly validate if the IP requested is private.

  • CVE-2021-22969MedNov 19, 2021
    risk 0.35cvss 5.3epss 0.01

    Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated…

  • CVE-2020-21122MedSep 15, 2021
    risk 0.35cvss 5.3epss 0.01

    UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports.

  • CVE-2018-1000422MedJan 9, 2019
    risk 0.35cvss 6.5epss 0.01

    An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and…

  • CVE-2018-1999026MedAug 1, 2018
    risk 0.35cvss 6.5epss 0.01

    A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host.

  • CVE-2018-1000606MedJun 26, 2018
    risk 0.35cvss 6.5epss 0.01

    A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.