Total
1417 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15002 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.0 Medium |
| OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API. | ||||
| CVE-2020-14328 | 1 Redhat | 1 Ansible Tower | 2024-11-21 | 3.3 Low |
| A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal services or exposing additional internal services and more particularly retrieving full details in case of error. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2020-14327 | 1 Redhat | 1 Ansible Tower | 2024-11-21 | 5.5 Medium |
| A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of additional internal services by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response. | ||||
| CVE-2020-14296 | 1 Redhat | 2 Cloudforms Management Engine, Cloudforms Managementengine | 2024-11-21 | 7.1 High |
| Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal network which are not normally accessible. | ||||
| CVE-2020-14170 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 4.3 Medium |
| Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. | ||||
| CVE-2020-14160 | 1 Thecodingmachine | 1 Gotenberg | 2024-11-21 | 7.5 High |
| An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources. | ||||
| CVE-2020-14056 | 1 Monstaftp | 1 Monsta Ftp | 2024-11-21 | 9.8 Critical |
| Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files and interact with arbitrary third-party services. | ||||
| CVE-2020-14044 | 1 Codiad | 1 Codiad | 2024-11-21 | 7.2 High |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8 and later. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | ||||
| CVE-2020-14023 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 4.9 Medium |
| Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS. | ||||
| CVE-2020-13970 | 1 Shopware | 1 Shopware | 2024-11-21 | 8.8 High |
| Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server. | ||||
| CVE-2020-13788 | 1 Linuxfoundation | 1 Harbor | 2024-11-21 | 4.3 Medium |
| Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet. | ||||
| CVE-2020-13650 | 1 Digdash | 1 Digdash | 2024-11-21 | 7.5 High |
| An issue was discovered in DigDash 2018R2 before p20200210 and 2019R1 before p20200210. The login page is vulnerable to Server-Side Request Forgery (SSRF) that allows use of the application as a proxy. Sent to an external server, a forged request discloses application credentials. For a request to an internal component, the request is blind, but through the error message it's possible to determine whether the request targeted a open service. | ||||
| CVE-2020-13484 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-21 | 9.8 Critical |
| Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter, if the destination URL hosts an HTML document containing '<meta name="og:image" content="' followed by an intranet URL. | ||||
| CVE-2020-13379 | 5 Fedoraproject, Grafana, Netapp and 2 more | 11 Fedora, Grafana, E-series Performance Analyzer and 8 more | 2024-11-21 | 8.2 High |
| The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. | ||||
| CVE-2020-13309 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.4 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. | ||||
| CVE-2020-13295 | 1 Gitlab | 1 Runner | 2024-11-21 | 5.4 Medium |
| For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF. | ||||
| CVE-2020-13286 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.4 Medium |
| For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery. | ||||
| CVE-2020-13226 | 1 Wso2 | 1 Api Manager | 2024-11-21 | 9.8 Critical |
| WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet. | ||||
| CVE-2020-12725 | 1 Redash | 1 Redash | 2024-11-21 | 7.2 High |
| Havoc Research discovered an authenticated Server-Side Request Forgery (SSRF) via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding headers, selecting any HTTP verb, etc. | ||||
| CVE-2020-12695 | 22 Asus, Broadcom, Canon and 19 more | 218 Rt-n11, Adsl, Selphy Cp1200 and 215 more | 2024-11-21 | 7.5 High |
| The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. | ||||