CVE-2018-12463

An XML external entity XXE vulnerability in Fortify Software Security Center SSC, version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery SSRF attacks via a crafted DTD in an XML request...

CVE-2018-12463

Summary (CVE-2018-12463, Fortify SSC): An XML External Entity (XXE) vulnerability affects Fortify Software Security Center (SSC) versions 17.1, 17.2, and 18.1, allowing remote unauthenticated attackers to read arbitrary files or perform server-side request forgery (SSRF) via a crafted DTD in XML ...

CVE-2018-12678

Portainer prior to 1.18.0 is vulnerable: an unauthenticated request to the websocket /websocket/exec endpoint with an unvalidated id parameter can bypass access restrictions and enable server-side request forgery (SSRF). Public Red Hat/CNVD/OSV/etc. entries corroborate the vulnerability; remediat...

CVE-2018-12678

Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks...

CVE-2014-3990

The CVE-2014-3990 entries describe an OpenCart

CVE-2017-13706

XML external entity XXE vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery SSRF attacks, conduct internal port...

CVE-2017-13706

CVE-2017-13706 affects Lansweeper prior to 6.0.100.67. An XML External Entity (XXE) vulnerability exists in the deployment module's import package functionality, allowing remote authenticated users to access sensitive information, cause denial of service, conduct server-side request forgery (SSRF...

CVE-2017-13706

XML external entity XXE vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery SSRF attacks, conduct internal port...

CVE-2017-7569

In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parseurl function, aka VBV-17037...

CVE-2017-5643

It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas XSD is executed. Remote attackers can use this feature to make Server-Side Request Forgery SSRF attacks by sending XML documents with remote DTDs URLs or XM...

CVE-2017-5617

The SVG Salamander aka svgSalamander library, when used in a web application, allows remote attackers to conduct server-side request forgery SSRF attacks via an xlink:href attribute in an SVG file...

CVE-2016-6621

The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery SSRF attacks via unspecified vectors...

Server side request forgery (ssrf)

The Replay Server in IBM Tealeaf Customer Experience 8.x before 8.7.1.8847 FP10, 8.8.x before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108 FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224 FP3 allows remote attackers to conduct SSRF attacks via...

CVE-2016-6483

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote...

Server side request forgery (ssrf)

HPE Release Control RC 9.13, 9.20, and 9.21 before 9.21.0005 p4 allows remote authenticated users to conduct server-side request forgery SSRF attacks, and consequently obtain sensitive information or cause a denial of service, via unspecified vectors...

QlikView Server AccessPoint XML External Entity Injection

The version of QlikView Server running on the remote host is 11.20 prior to 11.20 SR12. It is, therefore, affected by an XML external entity XXE injection vulnerability, specifically DTD parameter injection, in the /AccessPoint.aspx script due to an incorrectly configured XML parser accepting XML...

CVE-2016-4791

The administrative user interface in Pulse Connect Secure PCS 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote administrators to enumerate files, read arbitrary files, and conduct server side request forgery SSRF attacks via unspecified vectors...

CVE-2016-3718

The 1 HTTP and 2 FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery SSRF attacks via a crafted image...

CVE-2016-0457

Technical details about CVE-2016-0457 (affected product/component/impact/remediation) are not provided in the supplied documents; monitor for updates.

CVE-2015-3623

The CVE-2015-3623 entry documents an XXE vulnerability in QlikTech QlikView prior to version 11.20 SR12. The flaw occurs in the AccessPoint.aspx XML parser, allowing an unauthenticated remote attacker to perform server-side request forgery (SSRF) and read arbitrary files via specially crafted XML...