Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24809 | 1 Wordplus | 1 Better Messages | 2021-11-09 | 6.8 MEDIUM | 8.8 HIGH |
| The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions | |||||
| CVE-2020-23686 | 1 Ayacms Project | 1 Ayacms | 2021-11-08 | 6.8 MEDIUM | 8.8 HIGH |
| Cross site request forgery (CSRF) vulnerability in AyaCMS 3.1.2 allows attackers to change an administrators password or other unspecified impacts. | |||||
| CVE-2021-35491 | 1 Wowza | 1 Streaming Engine | 2021-11-06 | 5.8 MEDIUM | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14. | |||||
| CVE-2021-42097 | 2 Debian, Gnu | 2 Debian Linux, Mailman | 2021-11-05 | 8.5 HIGH | 8.0 HIGH |
| GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). | |||||
| CVE-2020-11060 | 1 Glpi-project | 1 Glpi | 2021-11-04 | 9.0 HIGH | 8.8 HIGH |
| In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6. | |||||
| CVE-2021-29888 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2021-11-03 | 6.8 MEDIUM | 8.8 HIGH |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 207123. | |||||
| CVE-2021-3901 | 1 Firefly-iii | 1 Firefly Iii | 2021-11-01 | 6.8 MEDIUM | 8.8 HIGH |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2019-10199 | 1 Redhat | 1 Keycloak | 2021-10-28 | 6.8 MEDIUM | 8.8 HIGH |
| It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. | |||||
| CVE-2021-20120 | 1 Commscope | 2 Arris Surfboard Sb8200, Arris Surfboard Sb8200 Firmware | 2021-10-27 | 6.8 MEDIUM | 8.8 HIGH |
| The administration web interface for the Arris Surfboard SB8200 lacks any protections against cross-site request forgery attacks. This means that an attacker could make configuration changes (such as changing the administrative password) without the consent of the user. | |||||
| CVE-2021-34743 | 1 Cisco | 1 Webex Meetings | 2021-10-26 | 5.8 MEDIUM | 7.1 HIGH |
| A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile. | |||||
| CVE-2021-39126 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2021-10-25 | 6.8 MEDIUM | 8.8 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2. | |||||
| CVE-2021-38480 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 9.3 HIGH | 8.8 HIGH |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router’s management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router. | |||||
| CVE-2021-3858 | 1 Snipeitapp | 1 Snipe-it | 2021-10-20 | 6.8 MEDIUM | 8.8 HIGH |
| snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-42228 | 1 Kindsoft | 1 Kindeditor | 2021-10-19 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html. | |||||
| CVE-2021-20795 | 1 Cybozu | 1 Remote Service Manager | 2021-10-19 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the management screen of Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote attacker to hijack the authentication of administrators and unintended operations may be performed via unspecified vectors. | |||||
| CVE-2021-20126 | 1 Draytek | 1 Vigorconnect | 2021-10-19 | 6.8 MEDIUM | 8.8 HIGH |
| Draytek VigorConnect 1.6.0-B3 lacks cross-site request forgery protections and does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | |||||
| CVE-2021-20831 | 1 Og Tags Project | 1 Og Tags | 2021-10-19 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in OG Tags versions prior to 2.0.2 allows a remote attacker to hijack the authentication of administrators and unintended operation may be performed via unspecified vectors. | |||||
| CVE-2019-1904 | 1 Cisco | 11 4321 Integrated Services Router, 4331 Integrated Services Router, 4351 Integrated Services Router and 8 more | 2021-10-18 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent. | |||||
| CVE-2021-20489 | 1 Ibm | 1 Sterling File Gateway | 2021-10-16 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 197790. | |||||
| CVE-2021-24711 | 1 Tipsandtricks-hq | 1 Software License Manager | 2021-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack | |||||
| CVE-2021-41916 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in webTareas version 2.4 and earlier allows a remote attacker to create a new administrative profile and add a new user to the new profile. without the victim's knowledge, by enticing an authenticated admin user to visit an attacker's web page. | |||||
| CVE-2021-29837 | 1 Ibm | 1 Sterling B2b Integrator | 2021-10-14 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204913. | |||||
| CVE-2021-41113 | 1 Typo3 | 1 Typo3 | 2021-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system. To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. The following Same-Site cookie settings in $GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite] are required for an attack to be successful: SameSite=strict: malicious evil.example.org invoking TYPO3 application at good.example.org and SameSite=lax or none: malicious evil.com invoking TYPO3 application at example.org. Update your instance to TYPO3 version 11.5.0 which addresses the problem described. | |||||
| CVE-2021-41295 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 6.8 MEDIUM | 8.8 HIGH |
| ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system. | |||||
| CVE-2020-21386 | 1 Maccms | 1 Maccms | 2021-10-07 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges. | |||||
| CVE-2021-41764 | 1 Streama Project | 1 Streama | 2021-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability exists in Streama up to and including v1.10.3. The application does not have CSRF checks in place when performing actions such as uploading local files. As a result, attackers could make a logged-in administrator upload arbitrary local files via a CSRF attack and send them to the attacker. | |||||
| CVE-2021-34636 | 1 Wpdevart | 1 Countdown And Countup\, Woocommerce Sales Timer | 2021-10-02 | 6.8 MEDIUM | 8.8 HIGH |
| The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7. | |||||
| CVE-2021-24636 | 1 Print My Blog Project | 1 Print My Blog | 2021-10-01 | 5.8 MEDIUM | 8.1 HIGH |
| The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link | |||||
| CVE-2021-41083 | 1 Dadamailproject | 1 Dada Mail | 2021-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0. | |||||
| CVE-2020-20514 | 1 Maccms | 1 Maccms | 2021-10-01 | 4.9 MEDIUM | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users. | |||||
| CVE-2020-20693 | 1 Gilacms | 1 Gila Cms | 2021-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts. | |||||
| CVE-2021-36876 | 1 Stylemixthemes | 1 Ulisting | 2021-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages. | |||||
| CVE-2021-3819 | 1 Firefly-iii | 1 Firefly Iii | 2021-09-30 | 6.8 MEDIUM | 8.8 HIGH |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-40108 | 1 Concretecms | 1 Concrete Cms | 2021-09-30 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. | |||||
| CVE-2020-19951 | 1 Yzmcms | 1 Yzmcms | 2021-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application. | |||||
| CVE-2021-23026 | 1 F5 | 15 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 12 more | 2021-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-39209 | 1 Glpi-project | 1 Glpi | 2021-09-27 | 6.8 MEDIUM | 8.8 HIGH |
| GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading. | |||||
| CVE-2021-40965 | 1 Tinyfilemanager Project | 1 Tinyfilemanager | 2021-09-27 | 9.3 HIGH | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | |||||
| CVE-2020-20671 | 1 Kitesky | 1 Kitecms | 2021-09-24 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account. | |||||
| CVE-2021-37201 | 1 Siemens | 1 Sinec Network Management System | 2021-09-24 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This could allow an attacker to manipulate the SINEC NMS configuration by tricking an unsuspecting user with administrative privileges to click on a malicious link. | |||||
| CVE-2020-21126 | 1 Metinfo | 1 Metinfo | 2021-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo. | |||||
| CVE-2021-24491 | 1 Fileviewer Project | 1 Fileviewer | 2021-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack | |||||
| CVE-2020-19159 | 1 Laiketul | 1 Laiketul | 2021-09-22 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'. | |||||
| CVE-2020-19280 | 1 Jeesns | 1 Jeesns | 2021-09-22 | 6.8 MEDIUM | 8.8 HIGH |
| Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations. | |||||
| CVE-2020-19263 | 1 Mipcms | 1 Mipcms | 2021-09-20 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily escalate user privileges to administrator via index.php?s=/user/ApiAdminUser/itemEdit. | |||||
| CVE-2020-22403 | 1 Express-cart Project | 1 Express-cart | 2021-09-16 | 6.8 MEDIUM | 8.8 HIGH |
| The express-cart package through 1.1.10 for Node.js allows CSRF. | |||||
| CVE-2021-39197 | 1 Better Errors Project | 1 Better Errors | 2021-09-14 | 6.8 MEDIUM | 8.8 HIGH |
| better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors. | |||||
| CVE-2021-23404 | 1 Sqlite-web Project | 1 Sqlite-web | 2021-09-14 | 6.8 MEDIUM | 8.8 HIGH |
| This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | |||||
| CVE-2017-5169 | 1 Hanwha-security | 1 Smart Security Manager | 2021-09-13 | 5.1 MEDIUM | 7.5 HIGH |
| An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By issuing specific HTTP Post requests, an attacker can gain system level access to a remote shell session. Smart Security Manager Versions 1.5 and prior are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution. | |||||
| CVE-2017-9489 | 2 Cisco, Commscope | 4 Dpc3939b, Dpc3939b Firmware, Arris Tg1682g and 1 more | 2021-09-13 | 6.8 MEDIUM | 8.8 HIGH |
| The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST) devices allows configuration changes via CSRF. | |||||