Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-35313

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-20 Apr, 2021 | 19:05
Updated At-04 Aug, 2024 | 17:02
Rejected At-
Credits

A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:20 Apr, 2021 | 19:05
Updated At:04 Aug, 2024 | 17:02
Rejected At:
▼CVE Numbering Authority (CNA)

A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/
x_refsource_MISC
https://github.com/robiso/wondercms
x_refsource_MISC
https://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.html
x_refsource_MISC
Hyperlink: https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/
Resource:
x_refsource_MISC
Hyperlink: https://github.com/robiso/wondercms
Resource:
x_refsource_MISC
Hyperlink: https://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/
x_refsource_MISC
x_transferred
https://github.com/robiso/wondercms
x_refsource_MISC
x_transferred
https://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.html
x_refsource_MISC
x_transferred
Hyperlink: https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/robiso/wondercms
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:20 Apr, 2021 | 20:15
Updated At:23 Apr, 2021 | 21:18

A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
wondercms
wondercms
>>wondercms>>3.1.3
cpe:2.3:a:wondercms:wondercms:3.1.3:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-918Primarynvd@nist.gov
CWE ID: CWE-918
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/robiso/wondercmscve@mitre.org
Product
Third Party Advisory
https://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.htmlcve@mitre.org
Exploit
Third Party Advisory
VDB Entry
https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/cve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://github.com/robiso/wondercms
Source: cve@mitre.org
Resource:
Product
Third Party Advisory
Hyperlink: https://packetstormsecurity.com/files/160310/WonderCMS-3.1.3-Code-Execution-Server-Side-Request-Forgery.html
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

247Records found
CVE-2019-5464
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.69%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 02:23
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab CE/EE
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-16948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.68%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 17:01
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see on the product's host). The response from open ports is different than from closed ports. The product does not allow one to change the protocol: anything except http(s) will throw an error; however, it is the type of error that allows one to determine if a port is open or not.

Action-Not Available
Vendor-enghousen/a
Product-web_chatn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-3809
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.40%
||
7 Day CHG~0.00%
Published-25 Mar, 2019 | 17:38
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

Action-Not Available
Vendor-[UNKNOWN]Moodle Pty Ltd
Product-moodlemoodle
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-34473
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.1||CRITICAL
EPSS-94.26% / 99.93%
||
7 Day CHG+0.02%
Published-14 Jul, 2021 | 17:54
Updated-30 Jul, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-11-17||Apply updates per vendor instructions.
Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2019 Cumulative Update 9Microsoft Exchange Server 2013 Cumulative Update 23Microsoft Exchange Server 2019 Cumulative Update 8Microsoft Exchange Server 2016 Cumulative Update 19Microsoft Exchange Server 2016 Cumulative Update 20Exchange Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-9458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.04% / 76.50%
||
7 Day CHG~0.00%
Published-07 Sep, 2017 | 13:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.

Action-Not Available
Vendor-n/aPalo Alto Networks, Inc.
Product-pan-osn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-35209
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.45% / 84.59%
||
7 Day CHG-0.21%
Published-02 Jul, 2021 | 18:54
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).

Action-Not Available
Vendor-n/aZimbra
Product-collaborationn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-31116
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.06% / 17.18%
||
7 Day CHG-0.05%
Published-31 Mar, 2025 | 16:42
Updated-12 Jun, 2025 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability is fixed in 4.3.2.

Action-Not Available
Vendor-Mobile Security Framework (MobSF)
Product-mobile_security_frameworkMobile-Security-Framework-MobSF
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-14255
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 71.34%
||
7 Day CHG~0.00%
Published-08 Aug, 2019 | 12:41
Updated-05 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version 1.1.4 allows a remote attacker to perform HTTP requests to internal endpoints.

Action-Not Available
Vendor-go-camo_projectn/a
Product-go-camon/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-14704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.59% / 68.17%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 22:24
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field.

Action-Not Available
Vendor-microdigitaln/a
Product-mdc-n4090mdc-n4090w_firmwaremdc-n2190v_firmwaremdc-n2190vmdc-n4090wmdc-n4090_firmwaren/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-46973
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 52.57%
||
7 Day CHG~0.00%
Published-03 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.

Action-Not Available
Vendor-anji-plusn/a
Product-aj-reportn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-29972
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.31% / 53.53%
||
7 Day CHG~0.00%
Published-08 May, 2025 | 22:17
Updated-15 Jul, 2025 | 01:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Storage Resource Provider Spoofing Vulnerability

Server-Side Request Forgery (SSRF) in Azure allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_storage_resource_providerAzure Storage Resource Provider (SRP)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-12443
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 34.19%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 14:41
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-27670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-91.94% / 99.69%
||
7 Day CHG~0.00%
Published-25 Feb, 2021 | 00:01
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.

Action-Not Available
Vendor-appspacen/a
Product-appspacen/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-12852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.00% / 0.17%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 19:48
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-27651
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 25.50%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 00:00
Updated-15 Apr, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Server-Side Request Forgery: Elatec V-2023-014.

Action-Not Available
Vendor-printerlogicn/a
Product-virtual_appliancevasion_printn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-27655
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 25.50%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 00:00
Updated-16 Apr, 2025 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Server-Side Request Forgery: CPA v1 V-2023-009.

Action-Not Available
Vendor-printerlogicn/a
Product-virtual_appliancevasion_printn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-13335
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.59% / 68.17%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 11:16
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.

Action-Not Available
Vendor-n/aSalesAgility Ltd.
Product-suitecrmn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-27652
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 25.50%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 00:00
Updated-15 Apr, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Server-Side Request Forgery: rfIDEAS V-2023-015.

Action-Not Available
Vendor-printerlogicn/a
Product-virtual_appliancevasion_printn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-42149
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.00%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-14 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

Action-Not Available
Vendor-kekingn/a
Product-kkfileviewn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-41552
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 47.57%
||
7 Day CHG+0.02%
Published-01 Nov, 2022 | 02:10
Updated-01 May, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery Vulnerability in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer

Server-Side Request Forgery (SSRF) vulnerability in Hitachi Infrastructure Analytics Advisor on Linux (Data Center Analytics, Analytics probe components), Hitachi Ops Center Analyzer on Linux (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe components) allows Server Side Request Forgery. This issue affects Hitachi Infrastructure Analytics Advisor: from 2.0.0-00 through 4.4.0-00; Hitachi Ops Center Analyzer: from 10.0.0-00 before 10.9.0-00.

Action-Not Available
Vendor-Linux Kernel Organization, IncHitachi, Ltd.Microsoft Corporation
Product-linux_kernelops_center_viewpointops_center_analyzerwindowsinfrastructure_analytics_advisorHitachi Ops Center AnalyzerHitachi Infrastructure Analytics Advisor
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-41496
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.72%
||
7 Day CHG~0.00%
Published-13 Oct, 2022 | 00:00
Updated-15 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php.

Action-Not Available
Vendor-idreamsoftn/a
Product-icmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-41497
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 27.66%
||
7 Day CHG~0.00%
Published-13 Oct, 2022 | 00:00
Updated-15 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the pkg_url parameter at /manager/index.php.

Action-Not Available
Vendor-clippercmsn/a
Product-clippercmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-41495
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.81%
||
7 Day CHG~0.00%
Published-13 Oct, 2022 | 00:00
Updated-15 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.

Action-Not Available
Vendor-clippercmsn/a
Product-clippercmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-27905
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-94.18% / 99.91%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 06:35
Updated-03 Aug, 2024 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF vulnerability with the Replication handler

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Action-Not Available
Vendor-The Apache Software Foundation
Product-solrApache Solr
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-40357
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.66% / 85.20%
||
7 Day CHG~0.00%
Published-20 Sep, 2022 | 20:01
Updated-28 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.

Action-Not Available
Vendor-zblogcnn/a
Product-z-blogphpn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-40296
Matching Score-4
Assigner-The Missing Link Australia (TML)
ShareView Details
Matching Score-4
Assigner-The Missing Link Australia (TML)
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 27.02%
||
7 Day CHG+0.01%
Published-31 Oct, 2022 | 20:07
Updated-06 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-side request forgery (SSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems.

Action-Not Available
Vendor-phppointofsalePHP Point of Sale LLC
Product-php_point_of_salePHP Point of Sale
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-32682
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-93.53% / 99.82%
||
7 Day CHG~0.00%
Published-14 Jun, 2021 | 16:45
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities leading to RCE

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Action-Not Available
Vendor-std42Studio-42
Product-elfinderelFinder
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-39039
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.36%
||
7 Day CHG~0.00%
Published-03 Jan, 2023 | 00:00
Updated-10 Apr, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aEnrich a+HRD - Server-Side Request Forgery (SSRF)

aEnrich’s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service.

Action-Not Available
Vendor-Yukai Digital Technology (aEnrich)
Product-a\+hrda+HRD
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-12905
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-1.85% / 82.25%
||
7 Day CHG~0.00%
Published-25 Sep, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server Side Request Forgery vulnerability in Vebto Pixie Image Editor 1.4 and 1.7 allows remote attackers to disclose information or execute arbitrary code via the url parameter to Launderer.php.

Action-Not Available
Vendor-vebton/a
Product-pixie_-_image_editorn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-22952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-22.60% / 95.64%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 00:00
Updated-10 Jul, 2025 | 22:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

Action-Not Available
Vendor-n/aUsememos
Product-memosn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-9174
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-0.36% / 57.04%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 16:17
Updated-04 Aug, 2024 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-23761
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 27.02%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 00:00
Updated-19 Aug, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template.

Action-Not Available
Vendor-gambion/agambio
Product-gambion/agambio
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-27693
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 29.34%
||
7 Day CHG~0.00%
Published-02 Sep, 2022 | 17:33
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage.

Action-Not Available
Vendor-publiccmsn/a
Product-publiccmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-35712
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.78%
||
7 Day CHG~0.00%
Published-25 Dec, 2020 | 23:46
Updated-04 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.

Action-Not Available
Vendor-n/aEnvironmental Systems Research Institute, Inc. ("Esri")Microsoft CorporationLinux Kernel Organization, Inc
Product-windowslinux_kernelarcgis_servern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-26855
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.1||CRITICAL
EPSS-94.34% / 99.95%
||
7 Day CHG~0.00%
Published-02 Mar, 2021 | 23:55
Updated-30 Jul, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-04-16||Apply updates per vendor instructions.
Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2019 Cumulative Update 7Microsoft Exchange Server 2013 Cumulative Update 22Microsoft Exchange Server 2019 Cumulative Update 5Microsoft Exchange Server 2013 Cumulative Update 23Microsoft Exchange Server 2016 Cumulative Update 15Microsoft Exchange Server 2019 Cumulative Update 8Microsoft Exchange Server 2019 Cumulative Update 1Microsoft Exchange Server 2019 Cumulative Update 4Microsoft Exchange Server 2016 Cumulative Update 14Microsoft Exchange Server 2019 Cumulative Update 3Microsoft Exchange Server 2019 Cumulative Update 2Microsoft Exchange Server 2019 Cumulative Update 6Microsoft Exchange Server 2016 Cumulative Update 8Microsoft Exchange Server 2016 Cumulative Update 11Microsoft Exchange Server 2016 Cumulative Update 10Microsoft Exchange Server 2016 Cumulative Update 17Microsoft Exchange Server 2016 Cumulative Update 12Microsoft Exchange Server 2016 Cumulative Update 16Microsoft Exchange Server 2019Microsoft Exchange Server 2013 Cumulative Update 21Microsoft Exchange Server 2016 Cumulative Update 9Microsoft Exchange Server 2016 Cumulative Update 19Microsoft Exchange Server 2016 Cumulative Update 18Microsoft Exchange Server 2016 Cumulative Update 13Exchange Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-27103
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.46% / 89.81%
||
7 Day CHG~0.00%
Published-16 Feb, 2021 | 20:12
Updated-30 Jul, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-11-17||Apply updates per vendor instructions.

Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.

Action-Not Available
Vendor-n/aAccellion (Kiteworks USA, LLC)
Product-ftan/aFTA
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-3905
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-1.22% / 78.27%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 18:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-9408
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-8.9||HIGH
EPSS-0.06% / 17.18%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 11:15
Updated-16 Jul, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-glassfishEclipse Glassfish
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-24472
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-89.82% / 99.54%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

Action-Not Available
Vendor-qantumthemesQantumThemes
Product-kentharadioonair2OnAir2QT KenthaRadio
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-7742
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.09% / 26.43%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 21:00
Updated-21 Aug, 2024 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wanglongcn ltcms API Endpoint multiDownload server-side request forgery

A vulnerability was found in wanglongcn ltcms 1.0.20. It has been classified as critical. Affected is the function multiDownload of the file /api/file/multiDownload of the component API Endpoint. The manipulation of the argument file leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-ltcmswanglongcnwanglongcn
Product-ltcmsltcmsltcms
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-7740
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 50.18%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 20:00
Updated-21 Aug, 2024 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wanglongcn ltcms API Endpoint download server-side request forgery

A vulnerability has been found in wanglongcn ltcms 1.0.20 and classified as critical. This vulnerability affects the function download of the file /api/test/download of the component API Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-ltcmswanglongcnwanglongcn
Product-ltcmsltcmsltcms
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-7743
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.09% / 26.43%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 21:00
Updated-21 Aug, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wanglongcn ltcms API Endpoint downloadUrl server-side request forgery

A vulnerability was found in wanglongcn ltcms 1.0.20. It has been declared as critical. Affected by this vulnerability is the function downloadUrl of the file /api/file/downloadUrl of the component API Endpoint. The manipulation of the argument file leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-ltcmswanglongcnwanglongcn
Product-ltcmsltcmsltcms
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-38292
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 29.34%
||
7 Day CHG~0.00%
Published-12 Sep, 2022 | 20:30
Updated-03 Aug, 2024 | 10:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.

Action-Not Available
Vendor-slimsn/a
Product-senayan_library_management_systemn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-6980
Matching Score-4
Assigner-Bitdefender
ShareView Details
Matching Score-4
Assigner-Bitdefender
CVSS Score-9.2||CRITICAL
EPSS-0.18% / 40.43%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 06:58
Updated-07 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Verbose error handling issue in GravityZone Update Server proxy service

A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.

Action-Not Available
Vendor-Bitdefender
Product-gravityzoneGravityZone Update Servergravityzone
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-11574
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 70.09%
||
7 Day CHG~0.00%
Published-20 Mar, 2020 | 22:08
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. There is SSRF related to Subs-Package.php and Subs.php because user-supplied data is used directly in curl calls.

Action-Not Available
Vendor-simplemachinesn/a
Product-simple_machine_forumn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-11565
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.53% / 84.84%
||
7 Day CHG~0.00%
Published-27 Apr, 2019 | 13:15
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server Side Request Forgery (SSRF) exists in the Print My Blog plugin before 1.6.7 for WordPress via the site parameter.

Action-Not Available
Vendor-print_my_blog_projectn/a
Product-print_my_blogn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-5822
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-0.03% / 6.54%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 18:44
Updated-15 Jul, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in gaizhenbiao/ChuanhuChatGPT

A Server-Side Request Forgery (SSRF) vulnerability exists in the upload processing interface of gaizhenbiao/ChuanhuChatGPT versions <= ChuanhuChatGPT-20240410-git.zip. This vulnerability allows attackers to send crafted requests from the vulnerable server to internal or external resources, potentially bypassing security controls and accessing sensitive data.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-11066
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.65%
||
7 Day CHG~0.00%
Published-10 May, 2019 | 19:18
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

openid.php in LightOpenID through 1.3.1 allows SSRF via a crafted OpenID 2.0 assertion request using the HTTP GET method.

Action-Not Available
Vendor-lightopenid_projectn/a
Product-lightopenidn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-52606
Matching Score-4
Assigner-SolarWinds
ShareView Details
Matching Score-4
Assigner-SolarWinds
CVSS Score-3.5||LOW
EPSS-0.09% / 26.73%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 07:17
Updated-25 Feb, 2025 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Server-Side Request Forgery Vulnerability

SolarWinds Platform is affected by server-side request forgery vulnerability. Proper input sanitation was not applied allowing for the possibility of a malicious web request.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-10686
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-0.35% / 56.78%
||
7 Day CHG~0.00%
Published-01 Apr, 2019 | 16:21
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled.

Action-Not Available
Vendor-ctripn/a
Product-apollon/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found