CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVE-2023-46725 (GCVE-0-2023-46725)
Vulnerability from cvelistv5 – Published: 2023-11-02 14:19 – Updated: 2024-09-12 19:35
VLAI
Title
FoodCoopShop Server-Side Request Forgery vulnerability
Summary
FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability.
Severity
8.1 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/foodcoopshop/foodcoopshop/secu… | x_refsource_CONFIRM |
| https://github.com/foodcoopshop/foodcoopshop/pull/972 | x_refsource_MISC |
| https://github.com/foodcoopshop/foodcoopshop/comm… | x_refsource_MISC |
| https://pastebin.com/8K5Brwbq | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| foodcoopshop | foodcoopshop |
Affected:
>= 3.2.0, < 3.6.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7"
},
{
"name": "https://github.com/foodcoopshop/foodcoopshop/pull/972",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/foodcoopshop/foodcoopshop/pull/972"
},
{
"name": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808"
},
{
"name": "https://pastebin.com/8K5Brwbq",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pastebin.com/8K5Brwbq"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T18:25:16.341091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T19:35:43.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "foodcoopshop",
"vendor": "foodcoopshop",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T16:33:19.544Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7"
},
{
"name": "https://github.com/foodcoopshop/foodcoopshop/pull/972",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/foodcoopshop/foodcoopshop/pull/972"
},
{
"name": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808"
},
{
"name": "https://pastebin.com/8K5Brwbq",
"tags": [
"x_refsource_MISC"
],
"url": "https://pastebin.com/8K5Brwbq"
}
],
"source": {
"advisory": "GHSA-jhww-fx2j-3rf7",
"discovery": "UNKNOWN"
},
"title": "FoodCoopShop Server-Side Request Forgery vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46725",
"datePublished": "2023-11-02T14:19:42.920Z",
"dateReserved": "2023-10-25T14:30:33.751Z",
"dateUpdated": "2024-09-12T19:35:43.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46729 (GCVE-0-2023-46729)
Vulnerability from cvelistv5 – Published: 2023-11-10 00:57 – Updated: 2024-09-03 17:44
VLAI
Title
Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint
Summary
sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0.
Severity
9.3 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/getsentry/sentry-javascript/se… | x_refsource_CONFIRM |
| https://github.com/getsentry/sentry-javascript/pu… | x_refsource_MISC |
| https://github.com/getsentry/sentry-javascript/co… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| getsentry | sentry-javascript |
Affected:
>= 7.26.0, < 7.77.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9"
},
{
"name": "https://github.com/getsentry/sentry-javascript/pull/9415",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry-javascript/pull/9415"
},
{
"name": "https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T17:43:48.934161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:44:32.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sentry-javascript",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.26.0, \u003c 7.77.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T00:57:15.611Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9"
},
{
"name": "https://github.com/getsentry/sentry-javascript/pull/9415",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry-javascript/pull/9415"
},
{
"name": "https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be"
}
],
"source": {
"advisory": "GHSA-2rmr-xw8m-22q9",
"discovery": "UNKNOWN"
},
"title": "Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46729",
"datePublished": "2023-11-10T00:57:15.611Z",
"dateReserved": "2023-10-25T14:30:33.751Z",
"dateUpdated": "2024-09-03T17:44:32.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46730 (GCVE-0-2023-46730)
Vulnerability from cvelistv5 – Published: 2023-11-07 17:35 – Updated: 2024-09-04 15:56
VLAI
Title
Server-Side Request Forgery in groupoffice
Summary
Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.4 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/9… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
>= 6.3.0, < 6.6.177
Affected: >= 6.7.0, < 6.7.54 Affected: >= 6.8.0, < 6.8.15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "group-office",
"vendor": "intermesh",
"versions": [
{
"lessThan": "6.6.177",
"status": "affected",
"version": "6.30",
"versionType": "custom"
},
{
"lessThan": "6.7.54",
"status": "affected",
"version": "6.70",
"versionType": "custom"
},
{
"lessThan": "6.8.15",
"status": "affected",
"version": "6.80",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46730",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T15:52:27.981201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:56:13.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.3.0, \u003c 6.6.177"
},
{
"status": "affected",
"version": "\u003e= 6.7.0, \u003c 6.7.54"
},
{
"status": "affected",
"version": "\u003e= 6.8.0, \u003c 6.8.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T17:35:36.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"
}
],
"source": {
"advisory": "GHSA-vw6c-h82w-mvfv",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in groupoffice "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46730",
"datePublished": "2023-11-07T17:35:36.332Z",
"dateReserved": "2023-10-25T14:30:33.751Z",
"dateUpdated": "2024-09-04T15:56:13.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46736 (GCVE-0-2023-46736)
Vulnerability from cvelistv5 – Published: 2023-12-05 20:55 – Updated: 2024-08-02 20:53
VLAI
Title
Server-Side Request Forgery in espocrm
Summary
EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit `c536cee63` which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/espocrm/espocrm/security/advis… | x_refsource_CONFIRM |
| https://github.com/espocrm/espocrm/commit/c536cee… | x_refsource_MISC |
| https://owasp.org/Top10/A10_2021-Server-Side_Requ… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-g955-rwxx-jvf6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-g955-rwxx-jvf6"
},
{
"name": "https://github.com/espocrm/espocrm/commit/c536cee6375e2088f961af13db7aaa652c983072",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espocrm/espocrm/commit/c536cee6375e2088f961af13db7aaa652c983072"
},
{
"name": "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "espocrm",
"vendor": "espocrm",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit `c536cee63` which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-05T20:55:42.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-g955-rwxx-jvf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-g955-rwxx-jvf6"
},
{
"name": "https://github.com/espocrm/espocrm/commit/c536cee6375e2088f961af13db7aaa652c983072",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espocrm/espocrm/commit/c536cee6375e2088f961af13db7aaa652c983072"
},
{
"name": "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/",
"tags": [
"x_refsource_MISC"
],
"url": "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
}
],
"source": {
"advisory": "GHSA-g955-rwxx-jvf6",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in espocrm"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46736",
"datePublished": "2023-12-05T20:55:42.156Z",
"dateReserved": "2023-10-25T14:30:33.752Z",
"dateUpdated": "2024-08-02T20:53:21.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46746 (GCVE-0-2023-46746)
Vulnerability from cvelistv5 – Published: 2023-12-01 21:53 – Updated: 2024-08-02 20:53
VLAI
Title
Authenticated PostHog users vulnerable to SSRF
Summary
PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability.
Severity
4.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PostHog/posthog/security/advis… | x_refsource_CONFIRM |
| https://github.com/PostHog/posthog/commit/22bd594… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"
},
{
"name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "posthog",
"vendor": "PostHog",
"versions": [
{
"status": "affected",
"version": "\u003c=1.43.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:25:11.493Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"
},
{
"name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"
}
],
"source": {
"advisory": "GHSA-wqqw-r8c5-j67c",
"discovery": "UNKNOWN"
},
"title": "Authenticated PostHog users vulnerable to SSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46746",
"datePublished": "2023-12-01T21:53:19.584Z",
"dateReserved": "2023-10-25T14:30:33.753Z",
"dateUpdated": "2024-08-02T20:53:20.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46784 (GCVE-0-2023-46784)
Vulnerability from cvelistv5 – Published: 2024-05-17 08:34 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress ICS Calendar plugin <= 10.12.0.3 - SSRF and Arbitrary File Read vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Server-Side Request Forgery (SSRF) vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Absolute Path Traversal, : Server Side Request Forgery.This issue affects ICS Calendar: from n/a through 10.12.0.3.
Severity
8.2 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/ics… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Room 34 Creative Services, LLC | ICS Calendar |
Affected:
n/a , ≤ 10.12.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:room_34_creative_services:ics_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ics_calendar",
"vendor": "room_34_creative_services",
"versions": [
{
"lessThan": "10.12.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T13:47:45.692159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T12:43:54.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ics-calendar/wordpress-ics-calendar-plugin-10-12-0-2-ssrf-and-arbitrary-file-read-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ics-calendar",
"product": "ICS Calendar",
"vendor": "Room 34 Creative Services, LLC",
"versions": [
{
"changes": [
{
"at": "10.12.0.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "10.12.0.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027), Server-Side Request Forgery (SSRF) vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Absolute Path Traversal, : Server Side Request Forgery.\u003cp\u003eThis issue affects ICS Calendar: from n/a through 10.12.0.3.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027), Server-Side Request Forgery (SSRF) vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Absolute Path Traversal, : Server Side Request Forgery.This issue affects ICS Calendar: from n/a through 10.12.0.3."
}
],
"impacts": [
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664: Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:48.007Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/ics-calendar/wordpress-ics-calendar-plugin-10-12-0-2-ssrf-and-arbitrary-file-read-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 10.12.0.4 or a higher version."
}
],
"value": "Update to 10.12.0.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress ICS Calendar plugin \u003c= 10.12.0.3 - SSRF and Arbitrary File Read vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-46784",
"datePublished": "2024-05-17T08:34:45.996Z",
"dateReserved": "2023-10-26T12:23:47.244Z",
"dateUpdated": "2026-04-28T16:08:48.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47116 (GCVE-0-2023-47116)
Vulnerability from cvelistv5 – Published: 2024-01-31 16:21 – Updated: 2025-06-17 21:29
VLAI
Title
Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections
Summary
Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack.
Severity
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/HumanSignal/label-studio/secur… | x_refsource_CONFIRM |
| https://github.com/HumanSignal/label-studio/commi… | x_refsource_MISC |
| https://github.com/HumanSignal/label-studio/relea… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HumanSignal | label-studio |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r"
},
{
"name": "https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64"
},
{
"name": "https://github.com/HumanSignal/label-studio/releases/tag/1.11.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/HumanSignal/label-studio/releases/tag/1.11.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-31T20:33:12.634033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:19.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "label-studio",
"vendor": "HumanSignal",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio\u0027s SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T16:21:50.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r"
},
{
"name": "https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HumanSignal/label-studio/commit/55dd6af4716b92f2bb213fe461d1ffbc380c6a64"
},
{
"name": "https://github.com/HumanSignal/label-studio/releases/tag/1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HumanSignal/label-studio/releases/tag/1.11.0"
}
],
"source": {
"advisory": "GHSA-p59w-9gqw-wj8r",
"discovery": "UNKNOWN"
},
"title": "Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47116",
"datePublished": "2024-01-31T16:21:50.793Z",
"dateReserved": "2023-10-30T19:57:51.674Z",
"dateUpdated": "2025-06-17T21:29:19.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47121 (GCVE-0-2023-47121)
Vulnerability from cvelistv5 – Published: 2023-11-10 15:13 – Updated: 2025-02-27 20:33
VLAI
Title
Discourse SSRF vulnerability in Embedding
Summary
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/24c… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/5f2… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc"
},
{
"name": "https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1"
},
{
"name": "https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T21:48:16.816700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:33:47.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 3.2.0.beta0, \u003c 3.2.0.beta3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T15:13:42.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc"
},
{
"name": "https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1"
},
{
"name": "https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6"
}
],
"source": {
"advisory": "GHSA-hp24-94qf-8cgc",
"discovery": "UNKNOWN"
},
"title": "Discourse SSRF vulnerability in Embedding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47121",
"datePublished": "2023-11-10T15:13:42.254Z",
"dateReserved": "2023-10-30T19:57:51.675Z",
"dateUpdated": "2025-02-27T20:33:47.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47619 (GCVE-0-2023-47619)
Vulnerability from cvelistv5 – Published: 2023-12-13 21:02 – Updated: 2025-05-22 18:04
VLAI
Title
Audiobookshelf Server-Side Request Forgery and Arbitrary File Read Vulnerability
Summary
Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available.
Severity
8.1 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_CONFIRM |
| https://github.com/advplyr/audiobookshelf/blob/d7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| advplyr | audiobookshelf |
Affected:
<= 2.4.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/"
},
{
"name": "https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47619",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:03:35.054571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:04:00.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "audiobookshelf",
"vendor": "advplyr",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-13T21:06:36.271Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/"
},
{
"name": "https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66"
}
],
"source": {
"advisory": "GHSA-m2gq-53r2-74fm",
"discovery": "UNKNOWN"
},
"title": "Audiobookshelf Server-Side Request Forgery and Arbitrary File Read Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47619",
"datePublished": "2023-12-13T21:02:34.389Z",
"dateReserved": "2023-11-07T16:57:49.243Z",
"dateUpdated": "2025-05-22T18:04:00.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47635 (GCVE-0-2023-47635)
Vulnerability from cvelistv5 – Published: 2024-02-20 16:45 – Updated: 2024-08-22 13:25
VLAI
Title
Decidim vulnerable to possible CSRF attack at questionnaire templates preview
Summary
Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
Severity
4.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/decidim/decidim/security/advis… | x_refsource_CONFIRM |
| https://github.com/decidim/decidim/pull/11743 | x_refsource_MISC |
| https://github.com/decidim/decidim/pull/6247 | x_refsource_MISC |
| https://github.com/decidim/decidim/commit/5542227… | x_refsource_MISC |
| https://github.com/decidim/decidim/commit/57a4b46… | x_refsource_MISC |
| https://github.com/decidim/decidim/blob/3187bdfd4… | x_refsource_MISC |
| https://github.com/decidim/decidim/releases/tag/v0.27.5 | x_refsource_MISC |
| https://github.com/decidim/decidim/releases/tag/v0.28.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"
},
{
"name": "https://github.com/decidim/decidim/pull/11743",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/pull/11743"
},
{
"name": "https://github.com/decidim/decidim/pull/6247",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/pull/6247"
},
{
"name": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"
},
{
"name": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"
},
{
"name": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.27.5",
"status": "affected",
"version": "0.23.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:23:33.057811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:25:39.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.23.0, \u003c 0.27.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:26:38.896Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"
},
{
"name": "https://github.com/decidim/decidim/pull/11743",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/pull/11743"
},
{
"name": "https://github.com/decidim/decidim/pull/6247",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/pull/6247"
},
{
"name": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"
},
{
"name": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"
},
{
"name": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
}
],
"source": {
"advisory": "GHSA-f3qm-vfc3-jg6v",
"discovery": "UNKNOWN"
},
"title": "Decidim vulnerable to possible CSRF attack at questionnaire templates preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47635",
"datePublished": "2024-02-20T16:45:39.305Z",
"dateReserved": "2023-11-07T16:57:49.245Z",
"dateUpdated": "2024-08-22T13:25:39.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.