Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1732 | 1 Rename Wp-login Project | 1 Rename Wp-login | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1626 | 1 Sharebar Project | 1 Sharebar | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| The Sharebar WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them | |||||
| CVE-2022-1576 | 1 Themeisle | 1 Wp Maintenance Mode \& Coming Soon | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Maintenance Mode & Coming Soon WordPress plugin before 2.4.5 is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2022-1599 | 1 Admin Management Xtended Project | 1 Admin Management Xtended | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status (draft, published), slug, post date, comment status (enabled, disabled) and more. | |||||
| CVE-2015-1785 | 1 Imagely | 1 Nextgen Gallery | 2022-07-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. The vulnerabilities lie in how the application validates user uploaded files and lack of security measures preventing unwanted HTTP requests. | |||||
| CVE-2021-31679 | 1 Pescms | 1 Pescms Team | 2022-07-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that allows attackers to delete admin and other members' account numbers. | |||||
| CVE-2021-31678 | 1 Pescms | 1 Pescms Team | 2022-07-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's company. | |||||
| CVE-2021-31677 | 1 Pescms | 1 Pescms Team | 2022-07-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can modify admin and other members' passwords. | |||||
| CVE-2022-25192 | 1 Jenkins | 1 Snow Commander | 2022-07-13 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-23163 | 1 Jfrog | 1 Artifactory | 2022-07-13 | 6.8 MEDIUM | 8.8 HIGH |
| JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.33.6 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x. | |||||
| CVE-2022-1967 | 1 Wp-championship Project | 1 Wp-championship | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-46366 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials. | |||||
| CVE-2021-25327 | 1 Skyworthdigital | 2 Rn510, Rn510 Firmware | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as the above pages are vulnerable to cross-site scripting (XSS). | |||||
| CVE-2021-46426 | 1 Phpipam | 1 Phpipam | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality. | |||||
| CVE-2020-10181 | 1 Sumavision | 2 Enhanced Multimedia Router, Enhanced Multimedia Router Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request. | |||||
| CVE-2020-23376 | 1 5none | 1 Nonecms | 2022-07-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/nav/add.html, as demonstrated by adding a navigation column which can be injected with arbitrary web script or HTML via the name parameter to launch a stored XSS attack. | |||||
| CVE-2022-34792 | 1 Jenkins | 1 Recipe | 2022-07-08 | 6.0 MEDIUM | 8.0 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML. | |||||
| CVE-2022-34789 | 1 Jenkins | 1 Matrix Reloaded | 2022-07-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds. | |||||
| CVE-2022-34780 | 1 Jenkins | 1 Xebialabs Xl Release | 2022-07-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-31886 | 1 Marvalglobal | 1 Marval Msm | 2022-07-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF). An attacker can disable the 2FA by sending the user a malicious form. | |||||
| CVE-2017-20120 | 1 Trueconf | 1 Server | 2022-07-07 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-1653 | 1 Supsystic | 1 Social Share Buttons | 2022-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. | |||||
| CVE-2022-1627 | 1 Zatzlabs | 1 My Private Site | 2022-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1625 | 1 Wpexperts | 1 New User Approve | 2022-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites. | |||||
| CVE-2022-1573 | 1 Html2wp Project | 1 Html2wp | 2022-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The HTML2WP WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them | |||||
| CVE-2022-0875 | 1 Miniorange | 1 Google Authenticator | 2022-07-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks | |||||
| CVE-2022-34134 | 1 Jorani Project | 1 Jorani | 2022-07-06 | 6.8 MEDIUM | 8.8 HIGH |
| Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php. | |||||
| CVE-2022-1844 | 1 Wp-sentry Project | 1 Wp-sentry | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Sentry WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well | |||||
| CVE-2022-1843 | 1 Mailpress Project | 1 Mailpress | 2022-07-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| The MailPress WordPress plugin through 7.2.1 does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks | |||||
| CVE-2022-1842 | 1 Openbook Book Data Project | 1 Openbook Book Data | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well | |||||
| CVE-2022-1885 | 1 Cimy Header Image Rotator Project | 1 Cimy Header Image Rotator | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Cimy Header Image Rotator WordPress plugin through 6.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1847 | 1 Rotating Posts Project | 1 Rotating Posts | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Rotating Posts WordPress plugin through 1.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1846 | 1 Tiny Contact Form Project | 1 Tiny Contact Form | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1845 | 1 Wp Post Styling Project | 1 Wp Post Styling | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Post Styling WordPress plugin before 1.3.1 does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks | |||||
| CVE-2022-1913 | 1 Add Post Url Project | 1 Add Post Url | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Add Post URL WordPress plugin through 2.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping | |||||
| CVE-2022-1960 | 1 Mycss Project | 1 Mycss | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1914 | 1 Clean-contact Project | 1 Clean-contact | 2022-07-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Clean-Contact WordPress plugin through 1.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well | |||||
| CVE-2020-18648 | 1 Juqingcms | 1 Juqingcms | 2022-07-06 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in JuQingCMS v1.0 allows remote attackers to gain local privileges via the component "JuQingCMS_v1.0/admin/index.php?c=administrator&a=add". | |||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2022-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The తెల�గ� బైబిల� వచనమ�ల� WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues | |||||
| CVE-2022-1603 | 1 Webfwd | 1 Mail Subscribe List | 2022-07-01 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list | |||||
| CVE-2021-1257 | 5 Apple, Cisco, Linux and 2 more | 5 Macos, Dna Center, Linux Kernel and 2 more | 2022-07-01 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands. | |||||
| CVE-2022-33121 | 1 1234n | 1 Minicms | 2022-06-30 | 5.8 MEDIUM | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. | |||||
| CVE-2020-25252 | 1 Hyland | 1 Onbase | 2022-06-30 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account). | |||||
| CVE-2017-20093 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2022-06-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Download Manager Plugin 2.8.99. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. | |||||
| CVE-2022-34207 | 1 Jenkins | 1 Beaker Builder | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-34209 | 1 Jenkins | 1 Threadfix | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-34211 | 1 Jenkins | 1 Vrealize Orchestrator | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers to send an HTTP POST request to an attacker-specified URL. | |||||
| CVE-2022-34205 | 1 Jenkins | 1 Jianliao Notification | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers to send HTTP POST requests to an attacker-specified URL. | |||||
| CVE-2017-20088 | 1 Bytesforall | 1 Atahualpa | 2022-06-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in Atahualpa Theme. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. | |||||
| CVE-2017-20091 | 1 Wpjos | 1 Library File Manager | 2022-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in File Manager Plugin 3.0.1. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. | |||||