Search
Total
904 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28921 | 1 Blogengine | 1 Blogengine.net | 2022-05-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server. | |||||
| CVE-2022-29436 | 1 Code Snippets Extended Project | 1 Code Snippets Extended | 2022-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code). | |||||
| CVE-2022-29435 | 1 Code Snippets Extended Project | 1 Code Snippets Extended | 2022-05-25 | 5.8 MEDIUM | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress allows an attacker to delete or to turn on/off snippets. | |||||
| CVE-2022-1407 | 1 Vikwp | 1 Hotel Booking Engine \& Pms | 2022-05-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack | |||||
| CVE-2022-1418 | 1 Pluginmirror | 1 Social Stickers | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Stickers WordPress plugin through 2.2.9 does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-27758 | 1 Hcltech | 1 Bigfix Inventory | 2022-05-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account. | |||||
| CVE-2022-29413 | 1 Hermit Project | 1 Hermit | 2022-05-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter. | |||||
| CVE-2022-29412 | 1 Hermit Project | 1 Hermit | 2022-05-16 | 5.8 MEDIUM | 5.4 MEDIUM |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit ????? plugin <= 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source. | |||||
| CVE-2021-3133 | 1 Sean-barton | 1 Elementor Contact Form Db | 2022-05-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages. | |||||
| CVE-2022-1389 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2022-05-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP (fixed in 17.0.0), a cross-site request forgery (CSRF) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This vulnerability allows an attacker to run a limited set of commands: ping, traceroute, and WOM diagnostics. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-20735 | 1 Cisco | 1 Sd-wan Vmanage | 2022-05-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts. | |||||
| CVE-2022-29414 | 1 Wpkube | 1 Subscribe To Comments Reloaded | 2022-05-10 | 5.8 MEDIUM | 5.4 MEDIUM |
| Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription. | |||||
| CVE-2022-29905 | 1 Mediawiki | 1 Mediawiki | 2022-05-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. | |||||
| CVE-2022-29903 | 1 Mediawiki | 1 Mediawiki | 2022-05-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. | |||||
| CVE-2022-0191 | 1 Acnam | 1 Ad Invalid Click Protector | 2022-05-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans | |||||
| CVE-2022-27860 | 1 Footer-text Project | 1 Footer-text | 2022-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress. | |||||
| CVE-2022-27375 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2022-05-06 | 7.1 HIGH | 6.5 MEDIUM |
| Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_422168 at /goform/WifiExtraSet. | |||||
| CVE-2022-27374 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2022-05-06 | 7.1 HIGH | 6.5 MEDIUM |
| Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_42E328 at /goform/SysToolReboot. | |||||
| CVE-2021-24805 | 1 Designwall | 1 Dw Question \& Answer | 2022-05-05 | 4.3 MEDIUM | 4.3 MEDIUM |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. | |||||
| CVE-2022-20787 | 1 Cisco | 1 Unified Communications Manager | 2022-05-04 | 6.0 MEDIUM | 6.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2020-13527 | 1 Lantronix | 4 Sgx, Sgx Firmware, Xport Edge and 1 more | 2022-04-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-1112 | 1 Autolinks Project | 1 Autolinks | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attack | |||||
| CVE-2022-23975 | 1 Accesspressthemes | 1 Access Demo Importer | 2022-04-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin. | |||||
| CVE-2021-21275 | 2 Oracle, Report Project | 3 Communications Cloud Native Core Network Slice Selection Function, Communications Pricing Design Center, Report | 2022-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens. | |||||
| CVE-2021-28280 | 1 Php-fusion | 1 Phpfusion | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML | |||||
| CVE-2021-43953 | 1 Atlassian | 2 Data Center, Jira | 2022-04-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | |||||
| CVE-2022-0707 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2022-04-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack | |||||
| CVE-2022-0313 | 1 Wow-estore | 1 Float Menu | 2022-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2022-0199 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2022-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack | |||||
| CVE-2022-0638 | 1 Microweber | 1 Microweber | 2022-02-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-39124 | 1 Atlassian | 2 Data Center, Jira | 2022-02-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. | |||||
| CVE-2021-46252 | 1 Scratch-wiki | 1 Scratch Confirmaccount V3 | 2022-02-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses. | |||||
| CVE-2019-5318 | 2 Arubanetworks, Siemens | 3 Arubaos, Scalance W1750d, Scalance W1750d Firmware | 2022-02-22 | 7.1 HIGH | 6.5 MEDIUM |
| A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS that address this security vulnerability. | |||||
| CVE-2022-0238 | 2 Fedoraproject, Phoronix-media | 2 Fedora, Phoronix Test Suite | 2022-02-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2020-9388 | 1 Squaredup | 1 Squaredup | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard. | |||||
| CVE-2021-24446 | 1 Wpchill | 1 Remove Footer Credit | 2022-02-19 | 6.0 MEDIUM | 5.4 MEDIUM |
| The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation | |||||
| CVE-2020-13674 | 1 Drupal | 1 Drupal | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. | |||||
| CVE-2022-0505 | 1 Microweber | 1 Microweber | 2022-02-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-24843 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. | |||||
| CVE-2021-20641 | 1 Logitech | 2 Lan-w300n\/rs, Lan-w300n\/rs Firmware | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/RS allows remote attackers to hijack the authentication of administrators via a specially crafted URL. As a result, unintended operations to the device such as changes of the device settings may be conducted. | |||||
| CVE-2021-20636 | 1 Logitech | 2 Lan-w300n\/pr5b, Lan-w300n\/pr5b Firmware | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/PR5B allows remote attackers to hijack the authentication of administrators via a specially crafted URL. As a result, unintended operations to the device such as changes of the device settings may be conducted. | |||||
| CVE-2021-32732 | 1 Xwiki | 1 Xwiki | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org) | |||||
| CVE-2021-24668 | 1 Feataholic | 1 Maz Loader | 2022-02-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack | |||||
| CVE-2021-25072 | 1 Nextscripts | 1 Social Networks Auto Poster | 2022-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack | |||||
| CVE-2021-25092 | 1 Link Library Project | 1 Link Library | 2022-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack | |||||
| CVE-2021-22701 | 1 Schneider-electric | 21 Powerlogic Ion7400, Powerlogic Ion7400 Firmware, Powerlogic Ion7410 and 18 more | 2022-02-03 | 3.5 LOW | 4.5 MEDIUM |
| A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface. | |||||
| CVE-2022-23887 | 1 Yzmcms | 1 Yzmcms | 2022-02-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete. | |||||
| CVE-2021-24989 | 1 Wpplugin | 1 Accept Donations With Paypal | 2022-01-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog | |||||
| CVE-2021-46027 | 1 Mysiteforme Project | 1 Mysiteforme | 2022-01-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added | |||||
| CVE-2021-44777 | 1 Email Tracker Project | 1 Email Tracker | 2022-01-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6). | |||||