OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module.

**vulnerability Abstract**

There are two SSRF vulnerabilities in OneBlog v2.3.4, one in adding friendly links and the other in the article porter function, which can be exploited by attackers to initiate probes on intranet services.

**Scope of influence**

OneBlog v2.3.4

**vulnerability Reappearance****The first SSRF vulnerability:**

To log in to the system using the account password root/123456, click Lab-> Article Porter Module  
  
Vulnerability parameter：entryUrls

We can use python to set up a HTTP service as the target server，Judge whether the service is enabled according to the response result of the server accessing the target URL

This vulnerability can realize the function of intranet port detection, access different ports, open echoes will be different

If the port is open, it will take more than a thousand Millisecond

  
If the port is shut down, it will take more than two thousand Millisecond，You can see that if the service is not enabled, the request takes almost twice as long.  
  
The request record for the HTTP server is as follows:  

**The second SSRF vulnerability**

After logging in, click website Management-> Link module, add a link, and enter the URL of the test at the Logo parameter.Click Save，When saving, a request will be made to the target URL  
  
Then refreshing the link will also request the target URL.

Then check the access record of the HTTP service

CVE-2022-34013: OneBlog v2.3.4 background SSRF vulnerability · Issue #I5CB2A · yadong.zhang/OneBlog - Gitee.com

Directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality, which allows a low privileged user to perform internal network port scans.

**Server-Side Request Forgery in Directus**

Moderate severity GitHub Reviewed Published Jun 23, 2022 • Updated Jun 23, 2022

GHSA-5h75-pvq4-82c9: Server-Side Request Forgery in Directus

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

**Mend Vulnerability Database**

Mend Vulnerability Lab is where you can find the information that you need about open source security vulnerabilities, aggregated by Mend’s comprehensive open source vulnerabilities database from hundreds of both popular and under-the-radar community resources.

The Mend open source vulnerabilities database covers over 200 programming languages and over 3 million open source components. It aggregates information from a variety of sources including the NVD, security advisories, and open source project issue trackers, multiple times a day.

We’re here to help you find and fix open source security vulnerabilities, and provide you with all of the data that you need in order to address open source vulnerabilities, including:

*   Programming language
*   CWE type
*   CVSS Severity scores, including CVSS v2.0 and v3.x
*   Exposure level (how many organizations have been impacted)
*   Verified suggested fixes
*   The low-down from the community
*   Additional info to help make informed remediation decisions

CVE-2022-23080: Open Source Vulnerability Database | Mend

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.

**CVE-2021-41594**

RSA Archer

RSA Archer 6.9.SP1 P3 suffer of a privilege escalation vulnerability letting administrators access presumibily inaccessible functionalities.

**CVE-2021-40511**

Mastro – OBDA systems

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

**CVE-2021-40510**

Mastro – OBDA systems

XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.

**CVE-TBA-01**

Liferay Portal

Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.

**CVE-2021-36761**

Qlik Sense

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows remote attackers to perform internal port scanning via SSRF.

**CVE-2021-36760**

WSO2 Identity Server

DOM-based XSS attack in WSO2 Identity Server 5.7.0 allows remote attackers to inject arbitrary web script in password reset procedure. This vulnerability can be used to perform Open Redirection attacks too.

**CVE-2020-23488**

L.E.F Radio Web Streamer

Blind Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows an  
authenticated attacker to execute arbitrary command on the target system via specially crafted HTTP POST request.

**CVE-2020-23487**

L.E.F Radio Web Streamer

Arbitrary File Upload in L.E.F. srl Radio Web Streamer 1.0 allows an  
authenticated attacker to upload arbitrary file on the target system, hence  
executing arbitrary command by uploading a PHP file.

**CVE-2020-23486**

L.E.F Radio Web Streamer

Unauthenticated Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows  an attacker to execute arbitrary command on the target system.

**CVE-2020-14608**

Oracle Fusion Middleware MapViewer

This vulnerability allows unauthenticated attacker with network access via HTTP to create, delete, edit critical data and read accessible data.

**CVE-2020-14607**

Oracle Fusion Middleware MapViewer

This vulnerability allows unauthenticated attacker with network access via HTTP to update, insert, delete and partially read accessible data.

**CVE-2020-14997**

ASiM – Archimista

An Insecure Direct Object Reference (IDOR) in Archimista 3.1.0 allows authenticated attacker to read and export all the reports in the application.

**CVE-2020-14996**

ASiM – Archimista

An arbitrary file read in Archimista 3.1.0 allows remote attacker to read arbitrary files on the file system.

**CVE-2020-14995**

ASiM – Archimista

A SQL injection in Archimista 3.1.0 allows remote attacker to execute arbitrary query on the database via the “term” parameter.

**CVE-2020-14994**

ASiM – Archimista

A SQL injection in Archimista 3.1.0 allows remote attacker to execute arbitrary query on the database via the “order” parameter.

**CVE-2020-10785**

Targa Telematics

**CVE-2020-10784**

Targa Telematics

**CVE-2019-19866**

Atos Unify OpenScape UC Application

Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs.

**CVE-2019-19865**

Atos Unify OpenScape UC Application

Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload.

**CVE-2019-17227**

Atos Unify OpenScape UC Application

CVE-2021-36761: Advisory - Joshua CybeRiskVision

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.

**Overview**

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.

**Details**

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.

**PoC Details**

Access the application through a browser and login as a user. Then, navigate to “import recipes” by clicking on the import button on the dashboard.For POC purpose, make sure your system is listening on a certain port. Select the manual option and enter the localhost URL- <loopback\_address>:<open\_port>. Proceed with the request. Now under the Discovered Attribute click on “Html”. You will be able to see the list of files.

**Affected Environments**

0.9.1 through 1.2.5

**Prevention**

Update version to 1.2.6 or higher

CVE-2022-23071: Mend Vulnerability Database

This advisory contains mitigations for NULL Pointer Dereference, Out-of-bounds Write, and Server-side Request Forgery (SSRF) vulnerabilities in the Siemens Apache HTTP Server.

Siemens Apache HTTP Server

flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities.

**Describe the bug**  
Server-side request forgery vulnerability (SSRF)

**To Reproduce**  
Steps to reproduce the behavior:  
1.go to 'acp/acp.php?tn=pages&sub=index'  
2\. Enter the intranet address in the box to request  
3\. Can make a request to the intranet

**Screenshots**  

request packet

Locate the vulnerable code /acp/core/pages.index.php  
The start\_index parameter calls the function fc\_crawler

Tracing the fc\_crawler function  
Locate the vulnerable code /acp/core/functions_index.php

Continue to track the fc\_loadSourceCode function

dict protocol for request

Use gopher protocol for request  
gopher://192.168.172.114:9333/aaaaa  

Led to the SSRF vulnerability

**Desktop (please complete the following information):**

*   OS: MacOS
*   Browser all
*   Version last version

CVE-2021-41403: Server-side request forgery vulnerability (SSRF) · Issue #60 · flatCore/flatCore-CMS

Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zooms waiting room can join the meeting without the consent of the host.

CVE-2022-28749: Security Bulletin

A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.

CVE-2021-40604: 4.6.2

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system’s Availability by causing system to crash.

This file lists what security notes were published on a certain Patch Day Download the Document

Tag

#ssrf