Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-20046 | 1 Axis | 12 M3005, M3005 Firmware, M3007 and 9 more | 2022-06-24 | 4.3 MEDIUM | 8.8 HIGH |
| A vulnerability classified as problematic has been found in AXIS P1204, P3225, P3367, M3045, M3005 and M3007. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. It is recommended to upgrade the affected component. | |||||
| CVE-2022-29437 | 1 Nextcode | 1 Image Slider By Nextcode | 2022-06-23 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Image Slider by NextCode plugin <= 1.1.2 at WordPress. | |||||
| CVE-2022-1758 | 1 Genki Pre-publish Reminder Project | 1 Genki Pre-publish Reminder | 2022-06-22 | 6.8 MEDIUM | 8.8 HIGH |
| The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings. | |||||
| CVE-2022-1749 | 1 Wpmk Ajax Finder Project | 1 Wpmk Ajax Finder | 2022-06-21 | 6.8 MEDIUM | 8.8 HIGH |
| The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1. | |||||
| CVE-2022-1969 | 1 Script | 1 Mobile Browser Color Select | 2022-06-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1900 | 1 Copify | 1 Copify | 2022-06-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1765 | 1 Hot Linked Image Cacher Project | 1 Hot Linked Image Cacher | 2022-06-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Hot Linked Image Cacher WordPress plugin through 1.16 is vulnerable to CSRF. This can be used to store / cache images from external domains on the server, which could lead to legal risks (due to copyright violations or licensing rules). | |||||
| CVE-2022-1779 | 1 Auto Delete Posts Project | 1 Auto Delete Posts | 2022-06-21 | 5.8 MEDIUM | 8.1 HIGH |
| The Auto Delete Posts WordPress plugin through 1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once. | |||||
| CVE-2022-1791 | 1 One Click Plugin Updater Project | 1 One Click Plugin Updater | 2022-06-21 | 5.8 MEDIUM | 8.1 HIGH |
| The One Click Plugin Updater WordPress plugin through 2.4.14 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable / hide the badge of the available updates and the related check. | |||||
| CVE-2017-20020 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as problematic, has been found in Solare Solar-Log 2.8.4-56/3.5.2-85. Affected by this issue is some unknown functionality. The manipulation leads to cross site request forgery. The attack may be launched remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20045 | 1 Navetti | 1 Pricepoint | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been declared as critical. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-44117 | 1 Thedaylightstudio | 1 Fuel Cms | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4. | |||||
| CVE-2022-22479 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Spectrum Copy Data Management 2.2.0.0through 2.2.15.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 225887. | |||||
| CVE-2019-25064 | 1 Theaccessgroup | 1 Corehr Core Portal | 2022-06-15 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was found in CoreHR Core Portal up to 27.0.7. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross site request forgery. It is possible to launch the attack remotely. Upgrading to version 27.0.8 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-43559 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-06-14 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. | |||||
| CVE-2019-10384 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2022-06-13 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. | |||||
| CVE-2022-0141 | 1 Vfbpro | 1 Visual Form Builder | 2022-06-13 | 5.8 MEDIUM | 8.1 HIGH |
| The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks | |||||
| CVE-2020-20971 | 1 Pbootcms | 1 Pbootcms | 2022-06-10 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index. | |||||
| CVE-2022-29735 | 1 Deltacontrols | 2 Entelitouch, Entelitouch Firmware | 2022-06-10 | 6.8 MEDIUM | 8.8 HIGH |
| Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 allows attackers to execute arbitrary commands via a crafted HTTP request. | |||||
| CVE-2022-29647 | 1 Mingsoft | 1 Mcms | 2022-06-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. | |||||
| CVE-2021-44227 | 1 Gnu | 1 Mailman | 2022-06-09 | 6.8 MEDIUM | 8.8 HIGH |
| In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. | |||||
| CVE-2022-1611 | 1 Bulk Page Creator Project | 1 Bulk Page Creator | 2022-06-08 | 6.8 MEDIUM | 8.8 HIGH |
| The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF. | |||||
| CVE-2021-34360 | 1 Qnap | 4 Nas Proxy Server, Qts, Quts Hero and 1 more | 2022-06-07 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2022-29002 | 1 Xuxueli | 1 Xxl-job | 2022-06-07 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add. | |||||
| CVE-2021-38886 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2022-06-03 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399. | |||||
| CVE-2022-27632 | 1 Meikyo | 30 Poe Boot Nino Poe8m2, Poe Boot Nino Poe8m2 Firmware, Pose Se10-8a7b1 and 27 more | 2022-06-02 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page. | |||||
| CVE-2020-2196 | 1 Jenkins | 1 Selenium | 2022-06-01 | 6.0 MEDIUM | 8.0 HIGH |
| Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin. | |||||
| CVE-2022-22778 | 1 Tibco | 1 Businessconnect Trading Community Management | 2022-05-31 | 6.8 MEDIUM | 8.8 HIGH |
| The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below. | |||||
| CVE-2022-30014 | 1 Simple Food Website Project | 1 Simple Food Website | 2022-05-30 | 6.8 MEDIUM | 8.8 HIGH |
| Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. | |||||
| CVE-2022-29427 | 1 Disable Right Click For Wp Wordpress | 1 Disable Right Click For Wp | 2022-05-26 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress. | |||||
| CVE-2022-28992 | 1 Online Banquet Booking System Project | 1 Online Banquet Booking System | 2022-05-26 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request. | |||||
| CVE-2021-29995 | 1 Cloverdx | 1 Cloverdx | 2022-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1. | |||||
| CVE-2022-29429 | 1 Code-snippets-extended Project | 1 Code-snippets-extended | 2022-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery. | |||||
| CVE-2022-30972 | 1 Jenkins | 1 Storage Configs | 2022-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | |||||
| CVE-2022-30958 | 1 Jenkins | 1 Ssh | 2022-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-30969 | 1 Jenkins | 1 Autocomplete Parameter | 2022-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator. | |||||
| CVE-2022-22811 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2022-05-16 | 8.8 HIGH | 8.1 HIGH |
| A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system?s configurations when an attacker persuades a user to visit a rogue website. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) | |||||
| CVE-2021-41275 | 1 Spreecommerce | 1 Spree Auth Devise | 2022-05-16 | 6.8 MEDIUM | 8.8 HIGH |
| spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch ? ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 | |||||
| CVE-2022-25778 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2022-05-11 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Web UI of Secomea GateManager allows phishing attacker to issue get request in logged in user session. | |||||
| CVE-2021-43937 | 1 Smartptt | 1 Scada Server | 2022-05-11 | 6.8 MEDIUM | 8.8 HIGH |
| Elcomplus SmartPTT SCADA Server web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | |||||
| CVE-2022-29451 | 1 Rarathemes | 1 Rara One Click Demo Import | 2022-05-11 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory. | |||||
| CVE-2022-0916 | 1 Logitech | 1 Options | 2022-05-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations. | |||||
| CVE-2022-23904 | 1 Rainworx | 1 Auctionworx | 2022-05-10 | 6.0 MEDIUM | 8.0 HIGH |
| Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vulnerability affects AuctionWorx Enterprise and AuctionWorx: Events Edition. | |||||
| CVE-2022-29555 | 1 Northern.tech | 1 Mender | 2022-05-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking. | |||||
| CVE-2022-21703 | 3 Fedoraproject, Grafana, Netapp | 3 Fedora, Grafana, E-series Performance Analyzer | 2022-05-07 | 6.8 MEDIUM | 8.8 HIGH |
| Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. | |||||
| CVE-2022-24879 | 1 Shopware | 1 Shopware | 2022-05-07 | 5.0 MEDIUM | 7.5 HIGH |
| Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. | |||||
| CVE-2022-27340 | 1 Mingsoft | 1 Mcms | 2022-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate privileges and modify data. | |||||
| CVE-2022-28892 | 1 Mahara | 1 Mahara | 2022-05-04 | 6.8 MEDIUM | 8.8 HIGH |
| Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. | |||||
| CVE-2021-32929 | 1 Uffizio | 1 Gps Tracker | 2022-05-03 | 6.8 MEDIUM | 8.8 HIGH |
| All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user. | |||||
| CVE-2021-37198 | 1 Siemens | 1 Comos | 2022-04-30 | 5.1 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS uses a flawed implementation of CSRF prevention. An attacker could exploit this vulnerability to perform cross-site request forgery attacks. | |||||