CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,758 vulnerabilities with CWE-918
CVE-2019-20055 MEDIUM
LiquiFire OS 4.8.0 - Server-Side Request Forgery via call%3Durl Parameter
CVSS 6.5
CVE-2019-19999 HIGH
halo < 1.2.0-beta.1 - Server-Side Template Injection via FreeMarker Configuration
CVSS 7.2
CVE-2019-18379 HIGH
Symantec Messaging Gateway < 10.7.3 - Server-Side Request Forgery
CVSS 7.3
CVE-2019-16948 CRITICAL
Enghouse Web Chat 6.1.300.31 - Server-Side Request Forgery via WebServiceLocation Port Manipulation
CVSS 9.8
CVE-2019-8156 HIGH
Magento 2.2.0-2.2.9 and 2.3.0-2.3.2 - Authenticated Server-Side Request Forgery via Connector API Endpoint
CVSS 7.2
CVE-2019-8151 HIGH
Magento 2.2.0-2.2.9 and 2.3.0-2.3.2 - Authenticated Remote Code Execution via SSRF in Carrier Gateway
CVSS 7.2
CVE-2019-18394 CRITICAL
Ignite Realtime Openfire < 4.4.2 - Server-Side Request Forgery via FaviconServlet
CVSS 9.8
CVE-2019-18355 CRITICAL
Thycotic Secret Server < 10.7.000000 - Server-Side Request Forgery via Legacy Web Launcher
CVSS 9.8
CVE-2019-17400 HIGH
Universal Office Converter < 0.9 - Server-Side Request Forgery via Untrusted Pathnames
CVSS 7.5
CVE-2019-17670 CRITICAL
WordPress < 5.2.4 - Server-Side Request Forgery via Windows Path Validation Bypass
CVSS 9.8
CVE-2019-17669 CRITICAL
WordPress < 5.2.4 - Server-Side Request Forgery via Hex-Encoded URL
CVSS 9.8
CVE-2019-14225 MEDIUM
Open-Xchange AppSuite 7.10.1-7.10.2 - Server-Side Request Forgery
CVSS 5.4
CVE-2019-15021 MEDIUM
Zingbox Inspector < 1.294 - Server-Side Request Forgery
CVSS 5.3
CVE-2019-15164 MEDIUM
libpcap < 1.9.1 - Server-Side Request Forgery via rpcapd URL Parameter
CVSS 5.3
CVE-2019-13335 CRITICAL
SuiteCRM 7.10.0-7.10.19 and 7.11.x < 7.11.7 - Server-Side Request Forgery
CVSS 9.8
CVE-2019-16932 CRITICAL
Visualizer < 3.3.1 - Server-Side Request Forgery via wp-json/visualizer/v1/upload-data
CVSS 10.0
CVE-2019-4262 MEDIUM
IBM QRadar SIEM 7.2.0-7.2.8 - Unauthenticated Server-Side Request Forgery
CVSS 5.3
CVE-2019-15033 HIGH
Pydio 6.0.8 - Authenticated Server-Side Request Forgery via Remote Link Feature
CVSS 7.7
CVE-2019-6837 CRITICAL
U.motion Server Firmware < 1.3.7 - Server-Side Request Forgery via URL Manipulation
CVSS 9.1
CVE-2019-15731 MEDIUM
GitLab 12.0-12.2.1 - Unauthenticated Merge Request Comment Access
CVSS 5.3
CVE-2019-15730 HIGH
GitLab 8.14.0-12.2.1 - Server-Side Request Forgery via Jira Integration
CVSS 7.5
CVE-2019-15728 HIGH
GitLab 10.1-12.2.1 - Server-Side Request Forgery via Kubernetes Integration
CVSS 7.5
CVE-2019-8451 MEDIUM
Jira Server 7.6.0-8.3.9 - Server-Side Request Forgery via Gadgets MakeRequest Endpoint
CVSS 6.5
CVE-2019-12996 MEDIUM
Mendix < 7.23.5 - Server-Side Request Forgery via XML Import Mappings
CVSS 5.3
CVE-2019-6793 HIGH
GitLab 10.0.0-11.5.7, 11.6.0-11.6.5, 11.7.0 - Unauthenticated Server-Side Request Forgery via Jira Integration
CVSS 7.0
Details
Vulnerabilities 2,758
Links
MITRE CWE Entry Search this CWE With Exploits