CVE-2024-32964

CRITICAL Year: 2024
CVSS v3 Score
9.0
Critical
Weakness Type
CWE-918
View all →

Vulnerability Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

Related Vulnerabilities

CVE-2021-40438

CRITICAL
CVSS:9.0(Critical)

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CWE-9182021

CVE-2022-0939

CRITICAL
CVSS:9.0(Critical)

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.

CWE-9182022

CVE-2024-29021

CRITICAL
CVSS:9.0(Critical)

Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an atta...

CWE-9182024

CVE-2017-14611

CRITICAL
CVSS:9.1(Critical)

SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued ahe...

CWE-9182017

CVE-2018-1000138

CRITICAL
CVSS:9.1(Critical)

I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php that can result in the attacker abusing functionality on the server to read or upda...

CWE-9182018

CVE-2018-16444

CRITICAL
CVSS:9.1(Critical)

An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSRF via the url parameter.

CWE-9182018