ByteOS Network

Vulnerability Details :

CVE-2023-28633

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-05 Apr, 2023 | 15:27

Updated At-10 Feb, 2025 | 16:37

GLPI vulnerable to Blind Server-Side Request Forgery (SSRF) in RSS feeds

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitHub_M

Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa

Published At:05 Apr, 2023 | 15:27

Updated At:10 Feb, 2025 | 16:37

▼CVE Numbering Authority (CNA)

GLPI vulnerable to Blind Server-Side Request Forgery (SSRF) in RSS feeds

Affected Products

Vendor

GLPI Project

Product

glpi

Versions

Affected

>= 0.84, < 9.5.13
>= 10.0.0, < 10.0.7

Problem Types

Type	CWE ID	Description
CWE	CWE-918	CWE-918: Server-Side Request Forgery (SSRF)

Type: CWE

CWE ID: CWE-918

Description: CWE-918: Server-Side Request Forgery (SSRF)

Metrics

Version	Base score	Base severity	Vector
3.1	3.5	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Version: 3.1

Base score: 3.5

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf	x_refsource_CONFIRM
https://github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982	x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/10.0.7	x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/9.5.13	x_refsource_MISC

Hyperlink: https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982

Resource:

x_refsource_MISC

Hyperlink: https://github.com/glpi-project/glpi/releases/tag/10.0.7

Resource:

x_refsource_MISC

Hyperlink: https://github.com/glpi-project/glpi/releases/tag/9.5.13

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf	x_refsource_CONFIRM x_transferred
https://github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982	x_refsource_MISC x_transferred
https://github.com/glpi-project/glpi/releases/tag/10.0.7	x_refsource_MISC x_transferred
https://github.com/glpi-project/glpi/releases/tag/9.5.13	x_refsource_MISC x_transferred

Hyperlink: https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf

Resource:

x_refsource_CONFIRM

x_transferred

Hyperlink: https://github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://github.com/glpi-project/glpi/releases/tag/10.0.7

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://github.com/glpi-project/glpi/releases/tag/9.5.13

Resource:

x_refsource_MISC

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security-advisories@github.com

Published At:05 Apr, 2023 | 16:15

Updated At:12 Apr, 2023 | 15:46

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Secondary	3.1	3.5	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Type: Primary

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 3.5

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CPE Matches

GLPI Project

>>glpi>>Versions from 0.84(inclusive) to 9.5.13(exclusive)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

GLPI Project

>>glpi>>Versions from 10.0.0(inclusive) to 10.0.7(exclusive)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-918	Primary	security-advisories@github.com

CWE ID: CWE-918

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982	security-advisories@github.com	Patch
https://github.com/glpi-project/glpi/releases/tag/10.0.7	security-advisories@github.com	Patch Release Notes
https://github.com/glpi-project/glpi/releases/tag/9.5.13	security-advisories@github.com	Patch Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf	security-advisories@github.com	Vendor Advisory

Hyperlink: https://github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982

Source: security-advisories@github.com

Resource:

Patch

Hyperlink: https://github.com/glpi-project/glpi/releases/tag/10.0.7

Source: security-advisories@github.com

Resource:

Patch

Release Notes

Hyperlink: https://github.com/glpi-project/glpi/releases/tag/9.5.13

Source: security-advisories@github.com

Resource:

Patch

Release Notes

Hyperlink: https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf

Source: security-advisories@github.com

Resource:

Vendor Advisory

Similar CVEs

62Records found

CVE-2020-13295

Matching Score-4

Assigner-GitLab Inc.

View Details

Matching Score-4

Assigner-GitLab Inc.

CVSS Score-5.4||MEDIUM

EPSS-0.20% / 42.67%

7 Day CHG~0.00%

Published-10 Aug, 2020 | 13:32

Updated-04 Aug, 2024 | 12:11

For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.

Vendor-GitLab Inc.

Product-runner GitLab Runner

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2022-0425

Matching Score-4

Assigner-GitLab Inc.

View Details

Matching Score-4

Assigner-GitLab Inc.

CVSS Score-5.4||MEDIUM

EPSS-0.15% / 36.35%

7 Day CHG~0.00%

Published-01 Apr, 2022 | 22:17

Updated-02 Aug, 2024 | 23:25

A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks.

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-38624

Matching Score-4

Assigner-Trend Micro, Inc.

View Details

Matching Score-4

Assigner-Trend Micro, Inc.

CVSS Score-5.4||MEDIUM

EPSS-0.15% / 35.93%

7 Day CHG~0.00%

Published-23 Jan, 2024 | 20:34

Updated-20 Jun, 2025 | 19:15

A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627.

Vendor-Trend Micro Incorporated

Product-apex_central Trend Micro Apex Central

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-38626

Matching Score-4

Assigner-Trend Micro, Inc.

View Details

Matching Score-4

Assigner-Trend Micro, Inc.

CVSS Score-5.4||MEDIUM

EPSS-0.15% / 35.93%

7 Day CHG~0.00%

Published-23 Jan, 2024 | 20:34

Updated-20 Jun, 2025 | 19:15

Vendor-Trend Micro Incorporated

Product-apex_central Trend Micro Apex Central

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-32337

Matching Score-4

Assigner-IBM Corporation

View Details

Matching Score-4

Assigner-IBM Corporation

CVSS Score-5.4||MEDIUM

EPSS-0.04% / 11.72%

7 Day CHG~0.00%

Published-19 Jan, 2024 | 01:17

Updated-13 Nov, 2024 | 17:56

IBM Maximo Spatial Asset Management server-side request forgery

IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 255288.

Vendor-IBM Corporation

Product-maximo_application_suite maximo_asset_management Maximo Spatial Asset Management

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-3577

Matching Score-4

Assigner-Mattermost, Inc.

View Details

Matching Score-4

Assigner-Mattermost, Inc.

CVSS Score-3.5||LOW

EPSS-0.16% / 37.18%

7 Day CHG~0.00%

Published-17 Jul, 2023 | 15:18

Updated-21 Oct, 2024 | 19:58

Limited blind SSRF to localhost/intranet in interactive dialog implementation

Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.

Vendor-Mattermost, Inc.

Product-mattermost_server Mattermost

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-35896

Matching Score-4

Assigner-IBM Corporation

View Details

Matching Score-4

Assigner-IBM Corporation

CVSS Score-5.4||MEDIUM

EPSS-0.05% / 13.30%

7 Day CHG~0.00%

Published-03 Nov, 2023 | 02:14

Updated-04 Sep, 2024 | 20:33

IBM Content Navigator server-side request forgery

IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 259247.

Vendor-IBM Corporation Linux Kernel Organization, Inc Microsoft Corporation

Product-windows linux_kernel content_navigator Content Navigator

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-35011

Matching Score-4

Assigner-IBM Corporation

View Details

Matching Score-4

Assigner-IBM Corporation

CVSS Score-5.4||MEDIUM

EPSS-0.05% / 16.34%

7 Day CHG~0.00%

Published-16 Aug, 2023 | 22:46

Updated-13 Feb, 2025 | 16:55

IBM Cognos Analytics server-side request forgey

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 257705.

Vendor-IBM Corporation

Product-cognos_analytics Cognos Analytics

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2024-45843

Matching Score-4

Assigner-Mattermost, Inc.

View Details

Matching Score-4

Assigner-Mattermost, Inc.

CVSS Score-3.1||LOW

EPSS-0.07% / 22.00%

7 Day CHG~0.00%

Published-26 Sep, 2024 | 08:03

Updated-26 Sep, 2024 | 18:42

Weak SSRF Filtering

Mattermost versions 9.5.x <= 9.5.8 fail to include the metadata endpoints of Oracle Cloud and Alibaba in the SSRF denylist, which allows an attacker to possibly cause an SSRF if Mattermost was deployed in Oracle Cloud or Alibaba.

Vendor-Mattermost, Inc.

Product-mattermost_server Mattermost

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2024-39739

Matching Score-4

Assigner-IBM Corporation

View Details

Matching Score-4

Assigner-IBM Corporation

CVSS Score-5.4||MEDIUM

EPSS-0.08% / 23.64%

7 Day CHG~0.00%

Published-15 Jul, 2024 | 01:25

Updated-02 Aug, 2024 | 04:26

IBM Datacap Navigator server-side request forgery

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 296008.

Vendor-IBM Corporation

Product-datacap datacap_navigator Datacap Navigator

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2021-20535

Matching Score-4

Assigner-IBM Corporation

View Details

Matching Score-4

Assigner-IBM Corporation

CVSS Score-6.5||MEDIUM

EPSS-0.09% / 27.28%

7 Day CHG~0.00%

Published-13 May, 2021 | 15:30

Updated-16 Sep, 2024 | 18:13

IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198834.

Vendor-IBM Corporation

Product-jazz_reporting_service Jazz Reporting Service

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2024-32812

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-5.4||MEDIUM

EPSS-0.07% / 22.70%

7 Day CHG~0.00%

Published-24 Apr, 2024 | 07:14

Updated-19 Mar, 2025 | 18:08

WordPress Podlove Podcast Publisher plugin <= 4.0.11 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.0.11.

Vendor-podlove Podlove podlove

Product-podlove_podcast_publisher Podlove Podcast Publisher podlove_podcast_publisher

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2023-28633

Credits

GLPI vulnerable to Blind Server-Side Request Forgery (SSRF) in RSS feeds

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs