CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,748 vulnerabilities with CWE-918
CVE-2023-47121 LOW
Discourse < 3.1.3 and < 3.2.0.beta3 - Server-Side Request Forgery via Embedding Feature
CVSS 3.4
CVE-2023-46729 CRITICAL
Sentry JavaScript SDK 7.26.0-7.76.9 - Server-Side Request Forgery via Next.js Tunnel Endpoint
CVSS 9.3
CVE-2023-42361 HIGH
Better PDF Exporter for Jira < 11.0.0 - Local File Inclusion via Crafted Image in PDF Export
CVSS 7.8
CVE-2023-46730 HIGH
Group-Office 6.3.1-6.6.176 - Server-Side Request Forgery via upload.php
CVSS 7.4
CVE-2023-39301 MEDIUM
QNAP QTS < 5.1.1.2491 - Authenticated Server-Side Request Forgery
CVSS 4.3
CVE-2023-4769 MEDIUM
ManageEngine Desktop Central 9.1.0 - Authenticated Server-Side Request Forgery via /smtpConfig.do
CVSS 6.6
CVE-2023-43982 CRITICAL
Bon Presta boninstagramcarousel 5.2.1-7.0.0 - Server-Side Request Forgery
CVSS 9.8
CVE-2023-35896 MEDIUM
IBM Content Navigator 3.0.13 - SSRF
CVSS 5.4
CVE-2023-46725 HIGH
foodcoopshop 3.2.0-3.6.0 - Server-Side Request Forgery via /api/updateProducts.json Endpoint
CVSS 8.1
CVE-2023-46236 HIGH
FOG Project <1.5.10 - Unauthenticated Server-Side Request Forgery
CVSS 8.6
CVE-2023-46502 CRITICAL
openCRX < 5.3.0 - XML External Entity Injection via Insecure DocumentBuilderFactory
CVSS 9.8
CVE-2023-43798 MEDIUM
BigBlueButton <2.6.12, 2.7.0-rc.1 - SSRF
CVSS 5.6
CVE-2023-46124 HIGH
Fides < 2.22.1 - Server-Side Request Forgery via YAML Dataset and Config Files
CVSS 8.2
CVE-2023-43795 HIGH
GeoServer WPS <2.22.5 and <2.23.2 - Server-Side Request Forgery
CVSS 8.6
CVE-2023-41339 HIGH
GeoServer WMS <2.22.5 and <2.23.2 - Server-Side Request Forgery via sld URL
CVSS 8.6
CVE-2023-45966 HIGH
remark42 < 1.12.1 - Server-Side Request Forgery via Newsletter Import URL Parameter
CVSS 7.5
CVE-2023-46303 HIGH
calibre < 6.19.0 - Server-Side Request Forgery via HTML Input Plugin
CVSS 7.5
CVE-2023-44256 MEDIUM
FortiAnalyzer/FortiManager SSRF via Crafted HTTP Request
CVSS 6.5
CVE-2023-41899 MEDIUM
Home Assistant < 2023.9.0 - Server-Side Request Forgery via hassio.addon_stdin
CVSS 6.6
CVE-2023-45822 LOW
Artifact Hub <1.16.0 - Server-Side Request Forgery via Rego HTTP Built-In
CVSS 3.7
CVE-2023-25753 MEDIUM
Apache ShenYu 2.5.1 - Server-Side Request Forgery via /sandbox/proxyGateway requestUrl Parameter
CVSS 6.5
CVE-2023-46229 HIGH
langchain < 0.0.317 - Server-Side Request Forgery via Recursive URL Loader
CVSS 8.8
CVE-2023-45152 LOW
engelsystem < 2023-09-18 - Blind Server-Side Request Forgery via Import Schedule Functionality
CVSS 2.0
CVE-2023-45660 MEDIUM
Nextcloud Mail 2.2.0-2.2.8 - Server-Side Request Forgery via Proxy Endpoint
CVSS 4.3
CVE-2023-5572 CRITICAL
vrite < 0.3.0 - Server-Side Request Forgery
CVSS 9.8
Details
Vulnerabilities 2,748
Links
MITRE CWE Entry Search this CWE With Exploits