CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,748 vulnerabilities with CWE-918
CVE-2023-46736 MEDIUM
EspoCRM <8.0.5 - Server-Side Request Forgery via Image URL Upload
CVSS 5.3
CVE-2023-48910 CRITICAL
microcks < 1.17.1 - Server-Side Request Forgery via /jobs and /artifact/download
CVSS 9.8
CVE-2023-46746 MEDIUM
PostHog - Authenticated Server-Side Request Forgery via Webhook URL
CVSS 4.8
CVE-2023-49094 MEDIUM
Sentry Symbolicator >=0.3.3 <23.11.2 - Server-Side Request Forgery via Crafted HTTP Endpoint
CVSS 4.3
CVE-2023-6070 MEDIUM
Trellix ESM <11.6.8 - Authenticated Server-Side Request Forgery via Certificate Upload
CVSS 4.3
CVE-2023-48023 CRITICAL
Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery via Log Proxy Endpoint
CVSS 9.1
CVE-2023-48022 CRITICAL
Anyscale Ray 2.6.3 and 2.8.0 - Remote Code Execution via Job Submission API
CVSS 9.8
CVE-2023-46480 CRITICAL
OwnCast 0.1.1 - Server-Side Request Forgery via indieauth authHost Parameter
CVSS 9.8
CVE-2023-5974 CRITICAL
WPB Show Core < 2.2 - Server-Side Request Forgery via Path Parameter
CVSS 9.8
CVE-2023-48711 LOW
google-translate-api-browser <4.1.3 - Server-Side Request Forgery via tld Option
CVSS 3.7
CVE-2023-27451 HIGH
Instant Images < 5.1.0.2 - Server-Side Request Forgery
CVSS 7.2
CVE-2023-48307 LOW
Nextcloud Mail 1.13.0-2.2.7 - Server-Side Request Forgery via Unprotected Endpoint
CVSS 3.5
CVE-2023-48306 MEDIUM
Nextcloud Server 22.0.0-22.2.10.15, 25.0.0-25.0.10 - Server-Side Request Forgery via DNS Rebinding
CVSS 5.0
CVE-2023-6199 MEDIUM
BookStack 23.10.2 - Server-Side Request Forgery via Local File Filtering
CVSS 6.5
CVE-2023-48240 CRITICAL
XWiki 11.10.1-14.10.14 - Cookie Theft and Server-Side Request Forgery via Diff Image Embedding
CVSS 9.0
CVE-2023-48204 MEDIUM
PublicCMS 4.0.202302.e - Sensitive Information Disclosure via getHtml API
CVSS 6.5
CVE-2023-6124 MEDIUM
salesagility/suitecrm <7.14.2-8.4.2-7.12.14 - SSRF
CVSS 4.3
CVE-2023-46207 MEDIUM
StylemixThemes Motors - Car Dealer, Classifieds & Listing < 1.4.6 - Server-Side Request Forgery
CVSS 4.1
CVE-2023-41239 MEDIUM
Blubrry PowerPress Podcasting plugin < 11.0.6 - Server-Side Request Forgery
CVSS 6.4
CVE-2023-38515 MEDIUM
Andy Moyle Church Admin <3.7.56 - SSRF
CVSS 5.5
CVE-2023-37978 MEDIUM
HTTP Headers < 1.18.11 - Server-Side Request Forgery
CVSS 4.4
CVE-2023-34013 MEDIUM
Poll Maker - Server-Side Request Forgery
CVSS 4.4
CVE-2023-31219 MEDIUM
WPChill Download Monitor <4.8.1 - SSRF
CVSS 4.1
CVE-2023-23800 HIGH
WP Shortcodes Plugin - Shortcodes Ultimate <= 5.12.6 - Server-Side Request Forgery
CVSS 7.1
CVE-2023-23684 MEDIUM
WPGraphQL < 1.14.5 - Server-Side Request Forgery
CVSS 4.4
Details
Vulnerabilities 2,748
Links
MITRE CWE Entry Search this CWE With Exploits