CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,750 vulnerabilities with CWE-918
CVE-2022-1722 LOW
drawio < 18.0.5 - Server-Side Request Forgery via IPv6 Link-Local Address
CVSS 3.3
CVE-2022-1713 HIGH
drawio < 18.0.4 - Server-Side Request Forgery via /proxy Endpoint
CVSS 7.5
CVE-2022-1398 MEDIUM
External Media without Import < 1.1.2 - Authenticated Server-Side Request Forgery via URL Media Addition
CVSS 6.5
CVE-2022-1386 CRITICAL
Fusion Builder < 3.6.2 - Server-Side Request Forgery via Unvalidated Form Parameter
CVSS 9.8
CVE-2022-30049 HIGH
Rebuild 2.8.3 - Server-Side Request Forgery via Fileurl Parameter
CVSS 7.5
CVE-2022-1379 CRITICAL
PlantUML < 1.2022.5 - Server-Side Request Forgery via URL Restriction Bypass
CVSS 9.1
CVE-2022-29848 MEDIUM
Progress WhatsUp Gold 17.0.0-21.1.1 and 22.0.0 - Authenticated Server-Side Request Forgery
CVSS 6.5
CVE-2022-29847 HIGH
Progress WhatsUp Gold 21.0.0-21.1.1 and 22.0.0 - Unauthenticated Server-Side Request Forgery
CVSS 7.5
CVE-2022-29180 MEDIUM
charm 0.9.0-0.12.0 - Server-Side Request Forgery via Data Directory Manipulation
CVSS 5.9
CVE-2022-1592 HIGH
clinical-genomics/scout < 4.42 - Server-Side Request Forgery
CVSS 8.2
CVE-2022-29942 MEDIUM
Talend Administration Center - Authenticated Server-Side Request Forgery via Service Registry Add Functionality
CVSS 6.5
CVE-2022-28090 MEDIUM
Jspxcms v10.2.0 - Server-Side Request Forgery via /cmscp/ext/collect/fetch_url.do URL Parameter
CVSS 6.5
CVE-2022-1239 HIGH
HubSpot WordPress Plugin < 8.8.15 - Server-Side Request Forgery via Proxy REST Endpoint
CVSS 8.8
CVE-2022-25850 HIGH
proxyscotch < 1.0.0 - Server-Side Request Forgery via Interceptor Mode
CVSS 7.5
CVE-2022-24449 CRITICAL
Solar appScreener <= 3.10.4 - XML External Entity Injection and Server-Side Request Forgery via Crafted XML Document
CVSS 9.8
CVE-2022-29556 CRITICAL
Northern.tech Mender Enterprise < 3.2.2 - Server-Side Request Forgery via Azure IoT Hub Integration
CVSS 9.8
CVE-2022-28117 MEDIUM
Navigate CMS 2.9.4 - Server-Side Request Forgery via Feed Parameter
CVSS 4.9
CVE-2022-27469 CRITICAL
monsta_ftp 2.10.3 - Server-Side Request Forgery
CVSS 9.8
CVE-2022-27429 CRITICAL
JizhiCMS 1.9.5 - Server-Side Request Forgery via Plugins update Endpoint
CVSS 9.8
CVE-2022-27311 CRITICAL
Gibbon < 3.4.4 - Server-Side Request Forgery via Crafted URL
CVSS 9.8
CVE-2022-24871 HIGH
Shopware < 6.4.10.1 - Server-Side Request Forgery via Admin SDK
CVSS 7.2
CVE-2022-24862 HIGH
Databasir 1.0.1 - Server-Side Request Forgery via JDBC Driver Download Check
CVSS 7.7
CVE-2022-24825 MEDIUM
stripe/smokescreen < 0.0.3 - Server-Side Request Forgery via Deny List Bypass
CVSS 5.8
CVE-2022-29153 HIGH
HashiCorp Consul <1.9.16-1.11.4 - SSRF
CVSS 7.5
CVE-2022-1037 HIGH
EXMAGE WordPress Plugin < 1.0.7 - Server-Side Request Forgery via Image URL
CVSS 7.2
Details
Vulnerabilities 2,750
Links
MITRE CWE Entry Search this CWE With Exploits