CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,740 vulnerabilities with CWE-918
CVE-2024-8635 HIGH
GitLab 16.8-17.1.6, 17.2-17.2.4, 17.3-17.3.1 - Server-Side Request Forgery via Maven Dependency Proxy URL
CVSS 7.7
CVE-2024-44677 CRITICAL
eladmin < 2.7 - Server-Side Request Forgery via DatabaseController.java
CVSS 9.8
CVE-2024-44721 CRITICAL
SeaCMS v13.1 - Server-Side Request Forgery via URL Parameter
CVSS 9.8
CVE-2024-40718 HIGH
Veeam Backup for Nutanix - Low-Privilege SSRF Local Privilege Escalation
CVSS 8.8
CVE-2024-24759 CRITICAL
MindsDB -DNS Rebinding SSRF Protection Bypass
CVSS 9.3
CVE-2024-45507 CRITICAL
Apache OFBiz <18.12.16 - SSRF/Code Injection
CVSS 9.8
CVE-2024-43371 MEDIUM
CKAN < 2.10.5 - Server-Side Request Forgery via Resource URL
CVSS 4.5
CVE-2024-43379 LOW
TruffleHog < 3.81.9 - Server-Side Request Forgery via Malicious Detector Input
CVSS 3.4
CVE-2024-22219 MEDIUM
Terminalfour 8.0.0001-8.3.18 and XML JDBC <= 1.0.4 - Authenticated XML External Entity Injection
CVSS 6.3
CVE-2024-22217 MEDIUM
Terminalfour < 8.3.19 - Authenticated Server-Side Request Forgery
CVSS 6.5
CVE-2024-7743 HIGH
ltcms 1.0.20 downloadUrl - Server-Side Request Forgery
CVSS 7.3
CVE-2024-7742 HIGH
ltcms 1.0.20 multiDownload - Server-Side Request Forgery
CVSS 7.3
CVE-2024-7740 HIGH
ltcms 1.0.20 download API - Server-Side Request Forgery
CVSS 7.3
CVE-2024-38109 CRITICAL
Microsoft Azure Health Bot - Authenticated Server-Side Request Forgery
CVSS 9.1
CVE-2024-41737 MEDIUM
SAP CRM ABAP Insights Management - Authenticated Server-Side Request Forgery
CVSS 5.0
CVE-2024-41651 HIGH
PrestaShop < 8.1.7 - Server-Side Request Forgery via Module Upgrade Functionality
CVSS 8.1
CVE-2024-42467 CRITICAL
openHAB CometVisu < 4.2.1 - Unauthenticated Server-Side Request Forgery and Cross-Site Scripting via Proxy Endpoint
CVSS 10.0
CVE-2024-41570 CRITICAL
Havoc 0.7 - Unauthenticated Server-Side Request Forgery via Demon Callback
CVSS 9.8
CVE-2024-39338 HIGH
axios 1.3.2-1.7.3 - Server-Side Request Forgery via Path Relative URL Processing
CVSS 7.5
CVE-2024-6522 HIGH
Modern Events Calendar <7.12.1 - SSRF
CVSS 8.5
CVE-2024-38206 HIGH
Microsoft Copilot Studio - Authenticated Server-Side Request Forgery
CVSS 8.5
CVE-2024-42352 HIGH
nuxt/icon < 1.4.5 - Server-Side Request Forgery via Icon API Endpoint
CVSS 8.6
CVE-2024-36448 HIGH
Apache IoTDB Workbench <0.13.0 - SSRF
CVSS 7.3
CVE-2024-39713 HIGH
Rocket.Chat < 6.10.1 - Server-Side Request Forgery via Twilio Webhook Endpoint
CVSS 8.6
CVE-2024-39637 MEDIUM
Edubin <= 9.2.0 - Server-Side Request Forgery
CVSS 5.4
Details
Vulnerabilities 2,740
Links
MITRE CWE Entry Search this CWE With Exploits