CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,758 vulnerabilities with CWE-918
CVE-2021-37353 CRITICAL
Nagios XI Docker Wizard < 1.1.3 - Server-Side Request Forgery via table_population.php
CVSS 9.8
CVE-2021-32603 HIGH
FortiAnalyzer and FortiManager 5.6.0-6.2.7 - Authenticated Server-Side Request Forgery
CVSS 8.8
CVE-2021-24472 CRITICAL
QT KenthaRadio < 2.0.2 and OnAir2 < 3.9.9.2 - Unauthenticated Server-Side Request Forgery via Proxy Functionality
CVSS 9.8
CVE-2021-24371 LOW
RSVPMaker < 8.7.3 - Authenticated Server-Side Request Forgery via Import Feature
CVSS 2.7
CVE-2021-20788 MEDIUM
GroupSession 2.2.0-5.0.9, byCloud 3.0.3-5.0.9, ZION 3.0.3-5.0.9 - SSRF
CVSS 4.3
CVE-2021-26699 MEDIUM
Open-xchange Appsuite - SSRF
CVSS 5.4
CVE-2021-22726 HIGH
EVlink <R8 V3.4.0.1 - Server-Side Request Forgery via Charging Station Parameters
CVSS 8.1
CVE-2021-31216 HIGH
Siren Investigate < 11.1.1 - Server-Side Request Forgery via Image Proxy Route
CVSS 8.1
CVE-2021-29749 MEDIUM
IBM Secure External Authentication Server & Sterling Secure Proxy 6.0.2 - SSRF
CVSS 5.4
CVE-2021-34473 CRITICAL KEV
Microsoft Exchange ProxyShell RCE
CVSS 9.1
CVE-2021-33213 MEDIUM
Elements-IT HTTP Commander 5.3.3 - SSRF
CVSS 6.5
CVE-2021-29102 CRITICAL
ArcGIS Server < 10.9.0 - Unauthenticated Server-Side Request Forgery
CVSS 9.1
CVE-2021-35209 CRITICAL
Zimbra Collaboration Suite 8.8-8.8.14 and 9.0.0-9.0.0.15 - Server-Side Request Forgery via X-Host Header
CVSS 9.8
CVE-2021-32639 HIGH
Emissary < 6.4.0 - Server-Side Request Forgery via RegisterPeerAction and AddChildDirectoryAction Endpoints
CVSS 7.2
CVE-2021-31531 CRITICAL
ManageEngine ServiceDesk Plus MSP < 10521 - Server-Side Request Forgery
CVSS 9.8
CVE-2021-32698 MEDIUM
elabftw < 4.0.0 - Blind Server-Side Request Forgery
CVSS 6.8
CVE-2021-34811 MEDIUM
Synology Download Station < 3.8.16-3566 - Authenticated Server-Side Request Forgery in Task Management Component
CVSS 5.0
CVE-2021-34808 MEDIUM
Synology Media Server < 1.8.3-2881 - Server-Side Request Forgery via CGI Component
CVSS 5.8
CVE-2021-20483 MEDIUM
IBM Security Identity Manager 6.0.2 - SSRF
CVSS 6.5
CVE-2021-32682 CRITICAL
elFinder < 2.1.59 - Remote Code Execution via Archive Command Injection
CVSS 9.8
CVE-2021-22175 MEDIUM KEV
GitLab 10.5.0-13.6.6 - Unauthenticated Server-Side Request Forgery via Webhook Internal Network Requests
CVSS 6.8
CVE-2021-31950 HIGH
Microsoft SharePoint Server - Server-Side Request Forgery
CVSS 7.6
CVE-2021-33571 HIGH
Django <2.2.24, <3.1.12, <3.2.4 - Info Disclosure
CVSS 7.5
CVE-2021-22214 MEDIUM
GitLab 10.5-13.10.4 - Unauthenticated Server-Side Request Forgery via Webhook Internal Network Requests
CVSS 6.8
CVE-2021-20348 MEDIUM
IBM Jazz Foundation/Engineering - SSRF
CVSS 5.4
Details
Vulnerabilities 2,758
Links
MITRE CWE Entry Search this CWE With Exploits