Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-35451

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-29 Nov, 2024 | 00:00
Updated At-02 Dec, 2024 | 19:35
Rejected At-
Credits

LinkStack 2.7.9 through 4.7.7 allows resources\views\components\favicon.blade.php link SSRF.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:29 Nov, 2024 | 00:00
Updated At:02 Dec, 2024 | 19:35
Rejected At:
▼CVE Numbering Authority (CNA)

LinkStack 2.7.9 through 4.7.7 allows resources\views\components\favicon.blade.php link SSRF.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://datafarm.co.th/blog/CVE-2024-35451:-From-%28Authenticated%29-SSRF-to-Remote-Code-Execution
N/A
Hyperlink: https://datafarm.co.th/blog/CVE-2024-35451:-From-%28Authenticated%29-SSRF-to-Remote-Code-Execution
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
linkstack
Product
linkstack
CPEs
  • cpe:2.3:a:linkstack:linkstack:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 2.7.9 through 4.7.7 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918 Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918 Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:29 Nov, 2024 | 05:15
Updated At:03 Jul, 2025 | 00:31

LinkStack 2.7.9 through 4.7.7 allows resources\views\components\favicon.blade.php link SSRF.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CPE Matches
linkstack
linkstack
>>linkstack>>Versions from 2.7.9(inclusive) to 4.7.7(inclusive)
cpe:2.3:a:linkstack:linkstack:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-918Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-918
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://datafarm.co.th/blog/CVE-2024-35451:-From-%28Authenticated%29-SSRF-to-Remote-Code-Executioncve@mitre.org
Third Party Advisory
Exploit
Hyperlink: https://datafarm.co.th/blog/CVE-2024-35451:-From-%28Authenticated%29-SSRF-to-Remote-Code-Execution
Source: cve@mitre.org
Resource:
Third Party Advisory
Exploit

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2026-27567
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 9.26%
||
7 Day CHG~0.00%
Published-24 Feb, 2026 | 14:22
Updated-27 Feb, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Payload has Server-Side Request Forgery (SSRF) in External File URL Uploads

Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.

Action-Not Available
Vendor-payloadcmspayloadcms
Product-payloadpayload
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-63010
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 8.81%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hercules Core plugin <= 7.4 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.

Action-Not Available
Vendor-ThemesInflow
Product-Hercules Core
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-5350
Matching Score-4
Assigner-WSO2 LLC
ShareView Details
Matching Score-4
Assigner-WSO2 LLC
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.22%
||
7 Day CHG+0.02%
Published-24 Oct, 2025 | 10:08
Updated-21 Nov, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.

Action-Not Available
Vendor-WSO2 LLC
Product-identity_serveropen_banking_amuniversal_gatewayenterprise_integratorapi_manageridentity_server_as_key_manageropen_banking_iamtraffic_managerapi_control_planeWSO2 Open Banking AMorg.wso2.carbon:org.wso2.carbon.uiWSO2 Traffic ManagerWSO2 Open Banking IAMWSO2 Identity ServerWSO2 API Control PlaneWSO2 Identity Server as Key ManagerWSO2 Universal GatewayWSO2 API ManagerWSO2 Enterprise Integrator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
Details not found