CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54122 – Manager-io/Manager allows unauthenticated full read server-side request forgery in "proxy" endpoint
https://notcve.org/view.php?id=CVE-2025-54122
21 Jul 2025 — Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segmen... • https://github.com/Manager-io/Manager/security/advisories/GHSA-347w-cgwh-m895 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2019-16967
https://notcve.org/view.php?id=CVE-2019-16967
21 Oct 2019 — An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager. Se detectó un problema en Manager versiones 13.x anteriores a 13.0.2.6 y versiones 15.x anteriores a 15.0.6 antes del FreePBX versión 14.0.10.3. • https://github.com/FreePBX/manager/commit/071a50983ca6a373bb2d1d3db68e9eda4667a372 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •