CVE-2023-25230

A Server-Side Request Forgery SSRF in loonflow r2.0.14 allows attackers to force the application to make arbitrary requests via manipulation of the hookurl parameter...

EUVD-2020-5816

Malware in sbrugna...

CVE-2022-48161

Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request...

CVE-2025-25767

CVE-2025-25767 describes a vertical privilege escalation in MRCMS v3.1.2, specifically in the /controller/UserController.java component. The vulnerability allows an attacker to arbitrarily delete users via a crafted request. Reported details indicate a fixed/mitigation status is not provided in t...

CVE-2024-48548

The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack...

WonderCMS Server-Side Request Forgery Vulnerability

WonderCMS is a PHP-based open source content management system CMS from WonderCMS. A server-side request forgery vulnerability exists in WonderCMS version 3.4.3, which stems from a failure to properly validate user input in the Plugins Page, and can be exploited by an attacker to force the...

livehelperchat code issue vulnerability

livehelperchat is available via live helper chat, which provides free live support on the site. livehelperchat versions prior to 3.96 are vulnerable to a code issue stemming from SSRF on index.php/cobrowse/proxycss/. An attacker could exploit this vulnerability to cause the application to execute...

CVE-2021-33181

Server-Side Request Forgery SSRF vulnerability in webapi component in Synology Video Station before 2.4.10-1632 allows remote authenticated users to send arbitrary request to intranet resources via unspecified vectors...

CVE-2021-20646

Cross-site request forgery CSRF vulnerability in ELECOM WRC-300FEBK-A allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

CVE-2021-20647

Cross-site request forgery CSRF vulnerability in ELECOM WRC-300FEBK-S allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

CVE-2021-20650

Cross-site request forgery CSRF vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in ELECOM WRC-300FEBK-A allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in ELECOM WRC-300FEBK-S allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

CVE-2021-20650

Cross-site request forgery CSRF vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

CVE-2021-20647

CVE-2021-20647 is a CSRF vulnerability in ELECOM WRC-300FEBK-S. The issue allows remote attackers to hijack administrator authentication and issue arbitrary requests, potentially changing device settings or starting a telnet daemon via an unspecified vector. Product: ELECOM WRC-300FEBK-S. Impact ...

CVE-2021-20647

Cross-site request forgery CSRF vulnerability in ELECOM WRC-300FEBK-S allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

CVE-2021-20646

CVE-2021-20646 affects ELECOM WRC-300FEBK-A and is a Cross-site Request Forgery (CSRF) vulnerability that can hijack an administrator’s session and cause arbitrary requests to be executed, potentially altering device settings or starting a telnet daemon. The connected documents confirm the vulner...

Open-Xchange: Blind XXE via Powerpoint files

Summary During the parsing of Powerpoint files it seems that it is possible to include XXE payload which will be executed on the Open-XChange server. I was able to identify which files exist on the server, and cause the server make arbitrary request to my own server, and I am pretty sure it is al...

Microsoft Edge Fetch API allows setting of arbitrary request headers (CVE-2017-0140)

Introduction The Fetch API provides an interface for fetching resources including across the network. It will seem familiar to anyone who has used XMLHttpRequest, but the Fetch API provides a more powerful and flexible feature set. Starting in EdgeHTML 14, which ships with Windows 10 Anniversary...

Design/Logic Flaw

The JK Connector aka modjk 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving 1 a request from a different client that included a Content-Length header but no POST dat...