Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7534 | 1 Schneider-electric | 20 140cpu65, 140cpu65 Firmware, 140noc78000 and 17 more | 2022-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user is logged in. Affected Products: Modicon M340 CPUs: BMXP34 (All Versions), Modicon Quantum CPUs with integrated Ethernet (Copro): 140CPU65 (All Versions), Modicon Premium CPUs with integrated Ethernet (Copro): TSXP57 (All Versions), Modicon M340 ethernet modules: (BMXNOC0401, BMXNOE01, BMXNOR0200H) (All Versions), Modicon Quantum and Premium factory cast communication modules: (140NOE77111, 140NOC78*00, TSXETY5103, TSXETY4103) (All Versions) | |||||
| CVE-2021-45268 | 1 Backdropcms | 1 Backdrop | 2022-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons. | |||||
| CVE-2019-10655 | 1 Grandstream | 10 Gac2500, Gac2500 Firmware, Gvc3202 and 7 more | 2022-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd. | |||||
| CVE-2021-24668 | 1 Feataholic | 1 Maz Loader | 2022-02-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack | |||||
| CVE-2021-39044 | 1 Ibm | 1 Financial Transaction Manager | 2022-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 214210. | |||||
| CVE-2022-23601 | 1 Sensiolabs | 1 Symfony | 2022-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2021-25072 | 1 Nextscripts | 1 Social Networks Auto Poster | 2022-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack | |||||
| CVE-2021-25092 | 1 Link Library Project | 1 Link Library | 2022-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack | |||||
| CVE-2021-24763 | 1 Getperfectsurvey | 1 Perfect Survey | 2022-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey | |||||
| CVE-2021-22701 | 1 Schneider-electric | 21 Powerlogic Ion7400, Powerlogic Ion7400 Firmware, Powerlogic Ion7410 and 18 more | 2022-02-03 | 3.5 LOW | 4.5 MEDIUM |
| A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface. | |||||
| CVE-2022-23888 | 1 Yzmcms | 1 Yzmcms | 2022-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html. | |||||
| CVE-2022-23887 | 1 Yzmcms | 1 Yzmcms | 2022-02-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete. | |||||
| CVE-2021-22725 | 1 Se | 12 Evb1a, Evb1a Firmware, Evc1s22p4 and 9 more | 2022-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
| CVE-2021-22724 | 1 Se | 12 Evb1a, Evb1a Firmware, Evc1s22p4 and 9 more | 2022-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
| CVE-2021-44122 | 1 Spip | 1 Spip | 2022-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF). | |||||
| CVE-2022-0335 | 1 Moodle | 1 Moodle | 2022-02-01 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. | |||||
| CVE-2022-0269 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2022-01-28 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0. | |||||
| CVE-2021-24989 | 1 Wpplugin | 1 Accept Donations With Paypal | 2022-01-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog | |||||
| CVE-2021-25073 | 1 Webmaster-source | 1 Wp125 | 2022-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-24936 | 1 Wp Extra File Types Project | 1 Wp Extra File Types | 2022-01-27 | 6.0 MEDIUM | 8.0 HIGH |
| The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks | |||||
| CVE-2021-24696 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2022-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads | |||||
| CVE-2022-0154 | 1 Gitlab | 1 Gitlab | 2022-01-26 | 6.0 MEDIUM | 8.0 HIGH |
| An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account. | |||||
| CVE-2021-46027 | 1 Mysiteforme Project | 1 Mysiteforme | 2022-01-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added | |||||
| CVE-2021-44777 | 1 Email Tracker Project | 1 Email Tracker | 2022-01-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6). | |||||
| CVE-2021-46028 | 1 Mblog Project | 1 Mblog | 2022-01-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted. | |||||
| CVE-2022-0215 | 1 Xootix | 3 Login\/signup Popup, Side Cart Woocommerce, Waitlist Woocommerce | 2022-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions <= 2.2 in Login/Signup Popup, versions <= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions <= 2.0 in Side Cart Woocommerce (Ajax). | |||||
| CVE-2021-43353 | 1 Crisp | 1 Live Chat | 2022-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31. | |||||
| CVE-2022-0180 | 1 Expresstech | 1 Quiz And Survey Master | 2022-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to hijack the authentication of administrators and conduct arbitrary operations via a specially crafted web page. | |||||
| CVE-2022-0245 | 1 Livehelperchat | 1 Livehelperchat | 2022-01-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0. | |||||
| CVE-2021-4164 | 1 Calibre-web Project | 1 Calibre-web | 2022-01-22 | 6.8 MEDIUM | 8.8 HIGH |
| calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2020-9454 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote attackers to forge requests on behalf of a site administrator to change all settings for the plugin, including deleting users, creating new roles with escalated privileges, and allowing PHP file uploads via forms. | |||||
| CVE-2022-0231 | 1 Livehelperchat | 1 Live Helper Chat | 2022-01-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2022-0226 | 1 Livehelperchat | 1 Live Helper Chat | 2022-01-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-41597 | 1 Salesagility | 1 Suitecrm | 2022-01-19 | 6.8 MEDIUM | 8.8 HIGH |
| SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive. | |||||
| CVE-2021-23227 | 1 Php Everywhere Project | 1 Php Everywhere | 2022-01-19 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability discovered in PHP Everywhere (WordPress plugin) versions (<= 2.0.2). | |||||
| CVE-2021-25052 | 1 Wow-company | 1 Button Generator | 2022-01-14 | 5.1 MEDIUM | 8.8 HIGH |
| The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25053 | 1 Wow-company | 1 Wp Coder | 2022-01-14 | 5.1 MEDIUM | 8.8 HIGH |
| The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25051 | 1 Wow-company | 1 Modal Window | 2022-01-14 | 5.1 MEDIUM | 8.8 HIGH |
| The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-34086 | 1 Ultimaker | 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more | 2022-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests. | |||||
| CVE-2021-46147 | 1 Mediawiki | 1 Mediawiki | 2022-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF. | |||||
| CVE-2021-46080 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2022-01-13 | 3.5 LOW | 4.8 MEDIUM |
| A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability. | |||||
| CVE-2020-29292 | 1 Iball | 2 Wrd12en, Wrd12en Firmware | 2022-01-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses. | |||||
| CVE-2020-21236 | 1 Damicms | 1 Damicms | 2022-01-10 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie. | |||||
| CVE-2021-20165 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| Trendnet AC2600 TEW-827DRU version 2.08B01 does not properly implement csrf protections. Most pages lack proper usage of CSRF protections or mitigations. Additionally, pages that do make use of CSRF tokens are trivially bypassable as the server does not appear to validate them properly (i.e. re-using an old token or finding the token thru some other method is possible). | |||||
| CVE-2020-20945 | 1 Qibosoft | 1 Qibosoft | 2022-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts. | |||||
| CVE-2020-20943 | 1 Qibosoft | 1 Qibosoft | 2022-01-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL. | |||||
| CVE-2021-4168 | 1 Showdoc | 1 Showdoc | 2022-01-06 | 6.8 MEDIUM | 8.8 HIGH |
| showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-4162 | 1 Archivy Project | 1 Archivy | 2022-01-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| archivy is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-24852 | 1 Mousewheel Smooth Scroll Project | 1 Mousewheel Smooth Scroll | 2022-01-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2020-15600 | 1 Cmsuno Project | 1 Cmsuno | 2022-01-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password. | |||||