Security
Headlines
HeadlinesLatestCVEs

Tag

#ssrf

CVE-2022-40842: cve-s/poc.txt at main · daaaalllii/cve-s

ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php.

CVE
Open in Source
#windows#php#ssrf#auth
CVE-2022-4096

Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.

CVE-2022-3861: Vulnerability Advisories Continued - Wordfence

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..

CVE-2022-41609: WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability - Patchstack

Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.

GHSA-m5xf-x7q6-3rm7: List helm chart endpoint of VelaUX APIserver has SSRF vulnerability

### Impact Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. ### Patches For users who're using v1.6, please update the v1.6.1. For users who're using v1.5, please update the v1.5.8. ### References Fix by: #5000 ### For more information If you have any questions or comments about this advisory: * Open an issue in [KubeVela repo](https://github.com/kubevela/kubevela) * Email us at [here](https://github.com/kubevela/kubevela#contact-us)

CVE-2022-42732: Siemens Healthineers Security Advisory

A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool.

CVE-2022-39383: List helm chart endpoint of VelaUX APIserver has SSRF vulnerability

KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45385: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.