Total
1832 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39109 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 8.8 High |
| rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. | ||||
| CVE-2023-39108 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 8.8 High |
| rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. | ||||
| CVE-2023-38515 | 1 Church Admin Project | 1 Church Admin | 2024-11-21 | 5.5 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 3.7.56. | ||||
| CVE-2023-37978 | 1 Riverside | 1 Http Headers | 2024-11-21 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Dimitar Ivanov HTTP Headers.This issue affects HTTP Headers: from n/a through 1.18.11. | ||||
| CVE-2023-37440 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 5.5 Medium |
| A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the EdgeConnect SD-WAN Orchestrator host leading to potential disclosure of sensitive information. | ||||
| CVE-2023-37290 | 1 Infodoc | 1 Document On-line Submission And Approval System | 2024-11-21 | 7.5 High |
| InfoDoc Document On-line Submission and Approval System lacks sufficient restrictions on the available tags within its HTML to PDF conversion function, and allowing an unauthenticated attackers to load remote or local resources through HTML tags such as iframe. This vulnerability allows unauthenticated remote attackers to perform Server-Side Request Forgery (SSRF) attacks, gaining unauthorized access to arbitrary system files and uncovering the internal network topology. | ||||
| CVE-2023-37262 | 1 Tweaked | 1 Cc-tweaked | 2024-11-21 | 9.6 Critical |
| CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue. | ||||
| CVE-2023-37261 | 1 Opencomputers | 1 Opencomputers | 2024-11-21 | 9.6 Critical |
| OpenComputers is a Minecraft mod that adds programmable computers and robots to the game. This issue affects every version of OpenComputers with the Internet Card feature enabled; that is, OpenComputers 1.2.0 until 1.8.3 in their most common, default configurations. If the OpenComputers mod is installed as part of a Minecraft server hosted on a popular cloud hosting provider, such as AWS, GCP and Azure, those metadata services' API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. In addition, IPv6 addresses are not correctly filtered at all, allowing broader access into the local IPv6 network. This can allow a player on a server using an OpenComputers computer to access parts of the private IPv4 address space, as well as the whole IPv6 address space, in order to retrieve sensitive information. OpenComputers v1.8.3 for Minecraft 1.7.10 and 1.12.2 contains a patch for this issue. Some workarounds are also available. One may disable the Internet Card feature completely. If using OpenComputers 1.3.0 or above, using the allow list (`opencomputers.internet.whitelist` option) will prohibit connections to any IP addresses and/or domains not listed; or one may add entries to the block list (`opencomputers.internet.blacklist` option). More information about mitigations is available in the GitHub Security Advisory. | ||||
| CVE-2023-36925 | 1 Sap | 1 Solution Manager | 2024-11-21 | 7.2 High |
| SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach. | ||||
| CVE-2023-36388 | 1 Apache | 1 Superset | 2024-11-21 | 4.3 Medium |
| Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF. | ||||
| CVE-2023-36088 | 1 Vesoft | 1 Nebulagraph Studio | 2024-11-21 | 7.5 High |
| Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio version 3.7.0, allows remote attackers to gain sensitive information. | ||||
| CVE-2023-35896 | 3 Ibm, Linux, Microsoft | 3 Content Navigator, Linux Kernel, Windows | 2024-11-21 | 5.4 Medium |
| IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 259247. | ||||
| CVE-2023-35133 | 1 Moodle | 1 Moodle | 2024-11-21 | 7.5 High |
| An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. | ||||
| CVE-2023-34370 | 2024-11-21 | 7.1 High | ||
| Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates, Brainstorm Force Premium Starter Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4; Premium Starter Templates: from n/a through 3.2.4. | ||||
| CVE-2023-33176 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.8 Medium |
| BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton. | ||||
| CVE-2023-32337 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2024-11-21 | 5.4 Medium |
| IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 255288. | ||||
| CVE-2023-31456 | 2024-11-21 | 5.4 Medium | ||
| There is an SSRF vulnerability in the Fluid Topics platform that affects versions prior to 4.3, where the server can be forced to make arbitrary requests to internal and external resources by an authenticated user. | ||||
| CVE-2023-31219 | 1 Wpchill | 1 Download Monitor | 2024-11-21 | 4.1 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.1. | ||||
| CVE-2023-2927 | 1 Jizhicms | 1 Jizhicms | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-230082 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-29260 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Sterling Connect\, Linux Kernel and 2 more | 2024-11-21 | 6.5 Medium |
| IBM Sterling Connect:Express for UNIX 1.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 252135. | ||||