OX App Suite 7.8.4 and earlier allows SSRF.
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
OX App Suite 7.10.1 and 7.10.2 allows SSRF.
OX App Suite through 7.10.2 has Insecure Permissions.
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses.
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery.
OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.
OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address).
OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.
OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list.
OX Guard 2.10.3 and earlier allows SSRF.
OX App Suite through 7.10.3 allows SSRF.
In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a server-side request-forgery attack and make Cacheservice connect to unexpected resources. We have disabled the ability to follow HTTP redirects when connecting to sproxyd resources. No publicly available exploits are known.
OX App Suite through 7.10.2 allows SSRF.
OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Attackers could discover restricted network topology and services as well as including local files with read permissions of the open-xchange system user. This was limited to specific file-types, like images. We have improved existing content filters and validators to avoid including any local resources. No publicly available exploits are known.
IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list. No publicly available exploits are known.
External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existence of hosts and services can be gathered. Attackers can get internal configuration information about the infrastructure of an operator to prepare subsequent attacks.
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
Server-Side Request Forgery (SSRF) vulnerability in sirv.Com Image Optimizer, Resizer and CDN – Sirv.This issue affects Image Optimizer, Resizer and CDN – Sirv: from n/a through 7.2.0.
The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wc_sf_url_check function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Limited Server-Side Request Forgery in all versions up to, and including, 5.9.4.2 via the pm_upload_image function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to download and view images, as well as validating if a non-image file exists, both on local or remote hosts.
The Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.4 via the 'remote_request' function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the 'ajax_preview_link' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.5 via the 'mpg_download_file_by_link' function. This makes it possible for authenticated attackers, with editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, 4.2, allows an attacker to manipulate the vulnerable application to send crafted requests on behalf of the application, resulting in a Server-Side Request Forgery (SSRF) vulnerability.
IBM InfoSphere Information Server 11.7 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 275774.
Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default). An attacker with access to the Investigate installation can specify an arbitrary URL in the parameters of the image proxy route and fetch external URLs as the Investigate process on the host.
IBM Secure External Authentication Server 6.0.2 and IBM Secure Proxy 6.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 201777.
Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery 12 Step Meeting List.This issue affects 12 Step Meeting List: from n/a through 3.14.24.
Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1.
IBM InfoSphere Data Flow Designer (IBM InfoSphere Information Server 11.7 ) is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 201302.
A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627.
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4.
IBM Maximo Asset Management 7.6.1.3 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625.
Omnissa Workspace ONE UEM contains a Server-Side Request Forgery (SSRF) Vulnerability. A malicious actor with user privileges may be able to access restricted internal system information, potentially enabling enumeration of internal network resources.
A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.