3509 matches found
PT-2025-46903
Name of the Vulnerable Software and Affected Versions Typebot versions prior to 3.13.1 Description Typebot is an open-source chatbot builder. A Server-Side Request Forgery SSRF issue exists in the Typebot webhook block HTTP Request component functionality. This allows authenticated users to make...
Typebot 代码问题漏洞
Typebot is an open source chatbot builder by the individual developer Baptiste Arnaud. A code issue vulnerability exists in versions prior to Typebot 3.13.1 that stems from a server-side request forgery in the Typebot webhook block functionality, which could lead to the extraction of AWS IAM...
CVE-2025-64522
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1...
CVE-2025-49145
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks mostly administrators can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature...
CVE-2025-64522
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webhook URLs which are not validated. An attacker can access internal services, private networks, or cloud metadata endpoints by configuring malicious webhook URLs. PoC ssh localhost webhook crea...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webhook URLs which are not validated. An attacker can access internal services, private networks, or cloud metadata endpoints by configuring malicious webhook URLs. PoC ssh localhost webhook crea...
CVE-2025-49145
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks mostly administrators can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature...
CVE-2025-64522 Soft Serve is vulnerable to SSRF through its Webhooks
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1...
CVE-2025-64522 Soft Serve is vulnerable to SSRF through its Webhooks
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1...
CVE-2025-64522 Soft Serve is vulnerable to SSRF through its Webhooks
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1...
GHSA-VWQ2-JX9Q-9H9F Soft Serve is vulnerable to SSRF through its Webhooks
SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. AFFECTED COMPONENTS VERIFIED 1. Webhook Creation...
Soft Serve is vulnerable to SSRF through its Webhooks
SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. AFFECTED COMPONENTS VERIFIED 1. Webhook Creation...
CVE-2025-49145 iTop admin can drop iTop database using webhooks
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks mostly administrators can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature...
EUVD-2025-50822
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks mostly administrators can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature...
CVE-2025-49145
Combodo iTop vulnerability CVE-2025-49145 affects iTop versions prior to 2.7.13 and 3.2.2. A user with sufficient rights to create webhooks (typically administrators) can trigger database deletion due to unverified callback signatures. The issue is mitigated in iTop by upgrading to 2.7.13 or 3.2....
Soft Serve 代码问题漏洞
Soft Serve is a self-hostable command line Git server from Charm Open Source. A code issue vulnerability exists in Soft Serve versions prior to 0.11.1, which stems from an unvalidated webhook URL and could lead to a server-side request forgery attack...
PT-2025-46215
Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.11.1 Description Soft Serve, a self-hostable Git server, contains a Server-Side Request Forgery SSRF issue. The application does not validate webhook URLs, which allows repository administrators to create webhook...
PT-2025-46196
Name of the Vulnerable Software and Affected Versions Combodo iTop versions prior to 2.7.13 Combodo iTop versions prior to 3.2.2 Description Combodo iTop is a web-based IT service management tool. A user with sufficient privileges to create webhooks typically administrators can drop the database...
Soft Serve does not sanitize ANSI escape sequences in user input
Impact In several places where the user can insert data e.g. names, ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. Places in which this was found: 1. Repository...