CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,740 vulnerabilities with CWE-918
CVE-2024-12867 HIGH
Arctic Hub 3.0.1764-5.6.1877 - Unauthenticated Server-Side Request Forgery in URL Mapper
CVE-2024-49336 MEDIUM
IBM Security Guardium 11.5 and 12.0 - Authenticated Server-Side Request Forgery
CVSS 6.5
CVE-2024-12801 LOW
logback-core 1.4.0-1.5.12 and logback 0.1-1.3.14 - Server-Side Request Forgery via DOCTYPE Declaration
CVE-2024-55082 HIGH
Stirling-PDF 0.35.1 - Server-Side Request Forgery via URL-to-PDF Endpoint
CVSS 7.5
CVE-2024-12121 MEDIUM
Broken Link Checker Finder <=2.5.0 - Author Blind Server-Side Request Forgery
CVSS 5.4
CVE-2024-52579 MEDIUM
Misskey < 2024.11.0 - Server-Side Request Forgery via HttpRequestService
CVSS 6.4
CVE-2024-55089 MEDIUM
rhymix < 2.1.24 - Server-Side Request Forgery via XML External Entity Injection
CVSS 4.1
CVE-2024-55086 HIGH
GetSimple CMS CE 3.3.19 - Server-Side Request Forgery via Plugin Download Address
CVSS 7.2
CVE-2024-9624 HIGH
WP All Import Pro <= 4.9.3 - Authenticated Server-Side Request Forgery via pmxi_curl_download
CVSS 7.6
CVE-2024-54385 HIGH
SoftLab Radio Player <2.0.82 - SSRF
CVSS 7.2
CVE-2024-54330 HIGH
Hurrakify <= 2.4 - Server-Side Request Forgery
CVSS 7.2
CVE-2024-11836 HIGH
PlexTrac 1.61.3-2.8.1 - Server-Side Request Forgery
CVSS 7.5
CVE-2024-55875 CRITICAL
http4k-format-xml 5.0.0.0-5.41.0.0 - XML External Entity Injection
CVSS 9.8
CVE-2024-54197 HIGH
SAP NetWeaver Administrator(System Overview) >=LM-CORE 7.50 <LM-CORE 7.50 - Authenticated Server-Side Request Forgery
CVSS 7.2
CVE-2024-47578 CRITICAL
SAP NetWeaver AS for JAVA (Adobe Document Services) - Authenticated Server-Side Request Forgery
CVSS 9.1
CVE-2024-48874 CRITICAL
Ruijie Reyee OS 2.206.x-2.319.x - Server-Side Request Forgery via Proxy Server
CVSS 9.8
CVE-2024-6784 CRITICAL
ABB ASPECT Enterprise NEXUS and MATRIX Series < 3.08.03 - Server-Side Request Forgery
CVSS 9.9
CVE-2024-45206 MEDIUM
Veeam Service Provider Console - SSRF
CVSS 6.5
CVE-2024-54000 HIGH
MobSF < 3.9.7 assetlinks Redirect - Server-Side Request Forgery
CVSS 7.5
CVE-2024-53738 MEDIUM
Gabe Livan Asset CleanUp: Page Speed Booster <1.3.9.8 - SSRF
CVSS 4.4
CVE-2024-53983 MEDIUM
Backstage plugin-scaffolder-node < 0.4.12 - Server-Side Request Forgery via Git Config Injection
CVSS 5.4
CVE-2024-35451 MEDIUM
LinkStack 2.7.9-4.7.7 - Server-Side Request Forgery via Favicon Component
CVSS 4.8
CVE-2024-32965 HIGH
lobehub/lobe_chat < 1.19.13 - Unauthenticated Server-Side Request Forgery via JWT Token Header
CVSS 8.1
CVE-2024-6538 MEDIUM
OpenShift Console - Authenticated Server-Side Request Forgery via /api/dev-console/proxy/internet Endpoint
CVSS 5.3
CVE-2024-9710 HIGH
PostHog < 2024-10-04 - Authenticated Server-Side Request Forgery in database_schema Method
CVSS 8.3
Details
Vulnerabilities 2,740
Links
MITRE CWE Entry Search this CWE With Exploits