Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1605 | 1 Email Users Project | 1 Email Users | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users | |||||
| CVE-2022-1608 | 1 Byonepress | 1 Social Locker | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The OnePress Social Locker WordPress plugin through 5.6.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1624 | 1 Latest Tweets Widget Project | 1 Latest Tweets Widget | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Latest Tweets Widget WordPress plugin through 1.1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1612 | 1 Webriti | 1 Webriti Smtp Mail | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Webriti SMTP Mail WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1694 | 1 Useful Banner Manager Project | 1 Useful Banner Manager | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Useful Banner Manager WordPress plugin through 1.6.1 does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete banners from the plugin by submitting a form. | |||||
| CVE-2017-20020 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability, which was classified as problematic, has been found in Solare Solar-Log 2.8.4-56/3.5.2-85. Affected by this issue is some unknown functionality. The manipulation leads to cross site request forgery. The attack may be launched remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20045 | 1 Navetti | 1 Pricepoint | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been declared as critical. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-44117 | 1 Thedaylightstudio | 1 Fuel Cms | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4. | |||||
| CVE-2022-22479 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2022-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Spectrum Copy Data Management 2.2.0.0through 2.2.15.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 225887. | |||||
| CVE-2022-30898 | 1 Chshcms | 1 Cscms | 2022-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator's username and password. | |||||
| CVE-2022-1712 | 1 Livesync Project | 1 Livesync | 2022-06-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1695 | 1 Tipsandtricks-hq | 1 Wp Simple Adsense Insertion | 2022-06-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form. | |||||
| CVE-2022-1709 | 1 Gti | 1 Throws Spam Away | 2022-06-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack | |||||
| CVE-2019-25064 | 1 Theaccessgroup | 1 Corehr Core Portal | 2022-06-15 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was found in CoreHR Core Portal up to 27.0.7. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross site request forgery. It is possible to launch the attack remotely. Upgrading to version 27.0.8 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-1577 | 1 Deliciousbrains | 1 Database Backup | 2022-06-15 | 5.8 MEDIUM | 5.4 MEDIUM |
| The Database Backup for WordPress plugin before 2.5.2 does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. Or disable the automatic backup schedule | |||||
| CVE-2022-1424 | 1 2code | 1 Ask Me | 2022-06-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Ask me WordPress theme before 6.8.2 does not perform CSRF checks for any of its AJAX actions, allowing an attacker to trick logged in users to perform various actions on their behalf on the site. | |||||
| CVE-2022-1422 | 1 2code | 1 Discy | 2022-06-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults. | |||||
| CVE-2022-1421 | 1 2code | 1 Discy | 2022-06-14 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack | |||||
| CVE-2020-36534 | 1 Easyiicms | 1 Easyiicms | 2022-06-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in easyii CMS. It has been classified as problematic. Affected is an unknown function of the file /admin/sign/out. The manipulation leads to cross site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2021-43559 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-06-14 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. | |||||
| CVE-2018-1000195 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2022-06-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. | |||||
| CVE-2019-10384 | 3 Jenkins, Oracle, Redhat | 3 Jenkins, Communications Cloud Native Core Automated Test Suite, Openshift Container Platform | 2022-06-13 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. | |||||
| CVE-2022-0642 | 1 Jivochat | 1 Jivochat | 2022-06-13 | 3.5 LOW | 5.4 MEDIUM |
| The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. | |||||
| CVE-2022-0141 | 1 Vfbpro | 1 Visual Form Builder | 2022-06-13 | 5.8 MEDIUM | 8.1 HIGH |
| The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks | |||||
| CVE-2022-22361 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2022-06-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2020-20971 | 1 Pbootcms | 1 Pbootcms | 2022-06-10 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index. | |||||
| CVE-2021-43941 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-06-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | |||||
| CVE-2022-29735 | 1 Deltacontrols | 2 Entelitouch, Entelitouch Firmware | 2022-06-10 | 6.8 MEDIUM | 8.8 HIGH |
| Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 allows attackers to execute arbitrary commands via a crafted HTTP request. | |||||
| CVE-2022-29647 | 1 Mingsoft | 1 Mcms | 2022-06-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. | |||||
| CVE-2021-36890 | 1 Supsystic | 1 Social Share Buttons | 2022-06-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress. | |||||
| CVE-2021-44227 | 1 Gnu | 1 Mailman | 2022-06-09 | 6.8 MEDIUM | 8.8 HIGH |
| In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. | |||||
| CVE-2022-31000 | 1 Nebulab | 1 Solidus | 2022-06-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch. | |||||
| CVE-2022-1611 | 1 Bulk Page Creator Project | 1 Bulk Page Creator | 2022-06-08 | 6.8 MEDIUM | 8.8 HIGH |
| The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF. | |||||
| CVE-2021-34360 | 1 Qnap | 4 Nas Proxy Server, Qts, Quts Hero and 1 more | 2022-06-07 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2022-29002 | 1 Xuxueli | 1 Xxl-job | 2022-06-07 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add. | |||||
| CVE-2021-38886 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2022-06-03 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399. | |||||
| CVE-2022-0830 | 1 Formbuilder Project | 1 Formbuilder | 2022-06-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them. | |||||
| CVE-2021-43952 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-06-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0. | |||||
| CVE-2022-27632 | 1 Meikyo | 30 Poe Boot Nino Poe8m2, Poe Boot Nino Poe8m2 Firmware, Pose Se10-8a7b1 and 27 more | 2022-06-02 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page. | |||||
| CVE-2020-2196 | 1 Jenkins | 1 Selenium | 2022-06-01 | 6.0 MEDIUM | 8.0 HIGH |
| Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin. | |||||
| CVE-2022-22778 | 1 Tibco | 1 Businessconnect Trading Community Management | 2022-05-31 | 6.8 MEDIUM | 8.8 HIGH |
| The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below. | |||||
| CVE-2022-30014 | 1 Simple Food Website Project | 1 Simple Food Website | 2022-05-30 | 6.8 MEDIUM | 8.8 HIGH |
| Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. | |||||
| CVE-2022-29427 | 1 Disable Right Click For Wp Wordpress | 1 Disable Right Click For Wp | 2022-05-26 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress. | |||||
| CVE-2022-29430 | 1 Png To Jpg Project | 1 Png To Jpg | 2022-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality. | |||||
| CVE-2022-29431 | 1 Kubiq | 1 Cpt Base | 2022-05-26 | 5.8 MEDIUM | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base. | |||||
| CVE-2022-30953 | 1 Jenkins | 1 Blue Ocean | 2022-05-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-28992 | 1 Online Banquet Booking System Project | 1 Online Banquet Booking System | 2022-05-26 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request. | |||||
| CVE-2022-28921 | 1 Blogengine | 1 Blogengine.net | 2022-05-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server. | |||||
| CVE-2021-29995 | 1 Cloverdx | 1 Cloverdx | 2022-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1. | |||||
| CVE-2022-29436 | 1 Code Snippets Extended Project | 1 Code Snippets Extended | 2022-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code). | |||||