Security
Headlines
HeadlinesLatestCVEs

Tag

#ssrf

Dataprobe iBoot-PDU

This advisory contains mitigations for OS Command Injection, Path Traversal, Exposure of Sensitive Information to an Unauthorized Actor, Improper Access Control, Improper Authorization, Incorrect Authorization, and SSRF vulnerabilities in versions of Dataprobe iBoot-PDU FW products.

us-cert
Open in Source
#vulnerability#ssrf#auth
CVE-2022-2912

The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF).

Siemens SINEC INS

This advisory contains mitigations for Improper Input Validation, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, Command Injection, Inadequate Encryption Strength, Missing Encryption of Sensitive Data, Improper Restriction of Operations Within the Bounds of a Memory Buffer, Exposure of Private Personal Information to an Unauthorized Actor, Open Redirect, Improper Resource Shutdown or Release, and Server-Side Request Forgery (SSRF) vulnerabilities in Siemens SINEC INS products.

GHSA-j9fq-vwqv-2fm2: Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

CVE-2022-36112: Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

CVE-2022-22520: VDE-2022-039 | CERT@VDE

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

CVE-2022-2900: Throw if url is invalid. Add a length limit. · IonicaBizau/parse-url@b88c81d

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

CVE-2022-38342: FME Community

Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.

CVE-2022-38342: Safe Software | FME | Data Integration Platform

Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.