Search
Total
904 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28846 | 1 Seacms | 1 Seacms | 2021-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account. | |||||
| CVE-2020-4992 | 1 Ibm | 1 Datapower Gateway | 2021-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737. | |||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend. | |||||
| CVE-2021-24466 | 1 Verse-o-matic Project | 1 Verse-o-matic | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2021-08-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | |||||
| CVE-2021-24380 | 1 Shantz Wordpress Qotd Project | 1 Shantz Wordpress Qotd | 2021-08-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values. | |||||
| CVE-2021-29400 | 1 Netexplorer | 1 My Smtp Contact | 2021-08-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authenticated admin visits a malicious third-party site. | |||||
| CVE-2020-20989 | 1 Domainmod | 1 Domainmod | 2021-08-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) in /admin/maintenance/ of Domainmod 4.13 allows attackers to arbitrarily delete logs. | |||||
| CVE-2021-34661 | 1 Verygoodplugins | 1 Wp Fusion | 2021-08-16 | 4.3 MEDIUM | 4.7 MEDIUM |
| The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18. | |||||
| CVE-2020-18457 | 1 Bycms Project | 1 Bycms | 2021-08-16 | 6.0 MEDIUM | 6.8 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability exists in bycms v1.3.0 that can add an admin account via admin.php/ucenter/add.html. | |||||
| CVE-2020-18454 | 1 Bycms Project | 1 Bycms | 2021-08-16 | 6.0 MEDIUM | 6.8 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in bycms v1.3 via admin.php/systems/index/module_id/70/group_id/1.html. | |||||
| CVE-2020-25562 | 1 Sapphireims | 1 Sapphireims | 2021-08-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| In SapphireIMS 5.0, there is no CSRF token present in the entire application. This can lead to CSRF vulnerabilities in critical application forms like account resent. | |||||
| CVE-2020-21358 | 1 Wagecms Project | 1 Wage-cms | 2021-08-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users. | |||||
| CVE-2021-35343 | 1 Seeddms | 1 Seeddms | 2021-08-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.Ajax.php in SeedDMS v5.1.x<5.1.23 and v6.0.x<6.0.16 allows a remote attacker to edit document name without victim's knowledge, by enticing an authenticated user to visit an attacker's web page. | |||||
| CVE-2021-36542 | 1 Seeddms | 1 Seeddms | 2021-08-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.LockDocument.php in SeedDMS v5.1.x<5.1.23 and v6.0.x <6.0.16 allows a remote attacker to lock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page. | |||||
| CVE-2021-36543 | 1 Seeddms | 1 Seeddms | 2021-08-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.UnlockDocument.php in SeedDMS v5.1.x <5.1.23 and v6.0.x <6.0.16 allows a remote attacker to unlock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page. | |||||
| CVE-2021-20786 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2021-08-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to hijack the authentication of administrators via a specially crafted URL. | |||||
| CVE-2020-4675 | 4 Ibm, Linux, Microsoft and 1 more | 6 Aix, Infosphere Master Data Management Server, Linux On Zseries and 3 more | 2021-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM InfoSphere Master Data Management Server 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186324. | |||||
| CVE-2021-21407 | 1 Combodo | 1 Itop | 2021-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0. | |||||
| CVE-2021-32774 | 1 Miraheze | 1 Datadump | 2021-07-28 | 5.8 MEDIUM | 5.4 MEDIUM |
| DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump. | |||||
| CVE-2018-20816 | 1 Salesagility | 1 Suitecrm | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed. | |||||
| CVE-2020-18151 | 1 Thinkcmf | 1 Thinkcmf | 2021-07-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgerly (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account. | |||||
| CVE-2020-24570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link. | |||||
| CVE-2020-15400 | 1 Cakefoundation | 1 Cakephp | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | |||||
| CVE-2020-15516 | 1 Mm Forum Project | 1 Mm Forum | 2021-07-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | |||||
| CVE-2021-22224 | 1 Gitlab | 1 Gitlab | 2021-07-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim | |||||
| CVE-2021-32730 | 1 Xwiki | 1 Xwiki | 2021-07-09 | 4.3 MEDIUM | 5.7 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. The problem has been patched in XWiki 12.10.5 and 13.2RC1. As a workaround, it is possible to apply the patch manually by modifying the `register_macros.vm` template. | |||||
| CVE-2021-20580 | 1 Ibm | 1 Planning Analytics | 2021-06-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 198241. | |||||
| CVE-2016-10861 | 1 Neetcables | 2 Airstream, Airstream Nas Firmware | 2021-06-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Neet AirStream NAS1.1 devices allow CSRF attacks that cause the settings binary to change the AP name and password. | |||||
| CVE-2020-20468 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password. | |||||
| CVE-2020-36389 | 1 Civicrm | 1 Civicrm | 2021-06-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF. | |||||
| CVE-2021-34547 | 1 Paessler | 1 Prtg Network Monitor | 2021-06-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation. | |||||
| CVE-2020-35759 | 1 Bloofox | 1 Bloofoxcms | 2021-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely). | |||||
| CVE-2020-36140 | 1 Bloofox | 1 Bloofoxcms | 2021-06-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely). | |||||
| CVE-2020-35972 | 1 Yzmcms | 1 Yzmcms | 2021-06-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html. | |||||
| CVE-2021-26033 | 1 Joomla | 1 Joomla\! | 2021-05-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint. | |||||
| CVE-2021-26034 | 1 Joomla | 1 Joomla\! | 2021-05-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo. | |||||
| CVE-2020-25408 | 1 College Management System Project | 1 College Management System | 2021-05-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, and article data. | |||||
| CVE-2020-25411 | 1 Online Examination System Project | 1 Online Examination System | 2021-05-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| Projectworlds Online Examination System 1.0 is vulnerable to CSRF, which allows a remote attacker to delete the existing user. | |||||
| CVE-2021-32632 | 1 Pajbot | 1 Pajbot | 2021-05-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add one modern dependency. | |||||
| CVE-2021-25930 | 1 Opennms | 2 Horizon, Meridian | 2021-05-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list. | |||||
| CVE-2020-24740 | 1 Pluck-cms | 1 Pluck | 2021-05-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | |||||
| CVE-2021-24324 | 1 Clogica | 1 All 404 Redirect To Homepage | 2021-05-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2020-24982 | 1 Quadbase | 1 Espressdashboard | 2021-05-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Quadbase ExpressDashboard (EDAB) 7 Update 9. It allows CSRF. An attacker may be able to trick an authenticated user into changing the email address associated with their account. | |||||
| CVE-2016-8350 | 1 Moxa | 19 Iologik E1200 Series Firmware, Iologik E1210, Iologik E1211 and 16 more | 2021-05-19 | 6.8 MEDIUM | 6.3 MEDIUM |
| An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12. The web application may not sufficiently verify whether a request was provided by a valid user (CROSS-SITE REQUEST FORGERY). | |||||
| CVE-2021-24249 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2021-05-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc | |||||
| CVE-2020-18889 | 1 Puppycms | 1 Puppycms | 2021-05-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php. | |||||
| CVE-2021-28055 | 1 Centreon | 1 Centreon | 2021-05-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user. | |||||
| CVE-2021-24231 | 1 Patreon | 1 Patreon Wordpress | 2021-05-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link. | |||||