CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,749 vulnerabilities with CWE-918
CVE-2023-33184 LOW
Nextcloud Mail 1.13.0-1.15.2 - Server-Side Request Forgery
CVSS 3.5
CVE-2023-32348 MEDIUM
Teltonika Remote Management System < 4.10.0 - Server-Side Request Forgery via VPN Hub Feature
CVSS 5.8
CVE-2023-31848 HIGH
davinci 0.3.0-rc - Server-Side Request Forgery
CVSS 8.8
CVE-2023-23169 MEDIUM
Synapsoft pdfocus 1.17 - Path Traversal and Server-Side Request Forgery
CVSS 6.5
CVE-2023-24954 MEDIUM
Microsoft SharePoint Server - Information Disclosure
CVSS 6.5
CVE-2023-30019 MEDIUM
imgproxy <=3.14.0 - Server-Side Request Forgery via imageURL Parameter
CVSS 5.3
CVE-2023-30444 HIGH
IBM Watson Machine Learning on Cloud Pak for Data 4.0 and 4.5 - Authenticated Server-Side Request Forgery
CVSS 7.1
CVE-2023-26735 HIGH
blackbox_exporter <0.23.0 - Info Disclosure
CVSS 7.5
CVE-2023-2140 HIGH
DELMIA Apriso 2017-2022 - Unauthenticated Server-Side Request Forgery
CVSS 7.5
CVE-2023-25504 MEDIUM
Apache Superset <= 2.0.1 - Authenticated Server-Side Request Forgery via Import Dataset Feature
CVSS 4.9
CVE-2023-28288 HIGH
Microsoft SharePoint Server - Server-Side Request Forgery
CVSS 8.1
CVE-2023-1971 MEDIUM
yuan1994 tpAdmin 1.3.12 - Server-Side Request Forgery via Upload.php Remote Function
CVSS 6.3
CVE-2023-29010 MEDIUM
Budibase < 2.4.3 - Server-Side Request Forgery
CVSS 6.5
CVE-2023-29008 HIGH
SvelteKit < 1.15.2 - Cross-Site Request Forgery via Uppercase Content-Type Header Bypass
CVSS 8.8
CVE-2023-28633 LOW
GLPI 0.84-9.5.12 - Server-Side Request Forgery via RSS Feed Autodiscovery
CVSS 3.5
CVE-2023-27163 MEDIUM
request-baskets < 1.2.1 - Server-Side Request Forgery via /api/baskets/{name} Endpoint
CVSS 6.5
CVE-2023-27162 CRITICAL
openapi-generator < 6.4.0 - Server-Side Request Forgery via /api/gen/clients/{language}
CVSS 9.1
CVE-2023-27160 HIGH
forem < 2022.11.11 - Server-Side Request Forgery via /articles/{id}
CVSS 7.2
CVE-2023-27159 HIGH
Appwrite < 1.2.1 - Server-Side Request Forgery via Avatars Favicon Endpoint
CVSS 7.5
CVE-2023-1725 CRITICAL
Infoline Project Management System <4.09.31.125 - SSRF
CVSS 9.8
CVE-2023-25195 HIGH
Apache Fineract 1.4.0-1.8.3 - Authenticated Server-Side Request Forgery
CVSS 8.1
CVE-2023-25262 HIGH
Stimulsoft Designer 2023.1.3 - Server-Side Request Forgery via External Resource Embedding
CVSS 7.5
CVE-2023-1634 MEDIUM
OTCMS 6.72 - Server-Side Request Forgery via UseCurl Function
CVSS 6.3
CVE-2023-27586 CRITICAL
CairoSVG < 2.7.0 - Server-Side Request Forgery via External Host Requests
CVSS 9.9
CVE-2023-28112 MEDIUM
Discourse < 3.1.0.beta3 - Server-Side Request Forgery via FastImage URL Handling
CVSS 5.9
Details
Vulnerabilities 2,749
Links
MITRE CWE Entry Search this CWE With Exploits