Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30694 | 1 Siemens | 223 6ag1151-8ab01-7ab0, 6ag1151-8ab01-7ab0 Firmware, 6ag1151-8fb01-2ab0 and 220 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The login endpoint /FormLogin in affected web services does not apply proper origin checking.
This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack.
|
|||||
| CVE-2022-30544 | 1 Hyumika | 1 Openstreetmap | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) in MiKa's OSM – OpenStreetMap plugin <= 6.0.1 versions.
|
|||||
| CVE-2022-30337 | 1 Joomunited | 1 Wp Meta Seo | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings.
|
|||||
| CVE-2022-30328 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The username and password setup for the web interface does not require entering the existing password. A malicious user can change the username and password of the interface.
|
|||||
| CVE-2022-30327 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The web interface is vulnerable to CSRF. An attacker can change the pre-shared key of the Wi-Fi router if the interface's IP address is known.
|
|||||
| CVE-2022-30280 | 1 Nokia | 1 Netact | 2024-11-21 | N/A | 8.8 HIGH |
|
/SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim ...
Show More |
|||||
| CVE-2022-30014 | 1 Simple Food Website Project | 1 Simple Food Website | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.
|
|||||
| CVE-2022-2986 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 8.8 HIGH |
|
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
|
|||||
| CVE-2022-2839 | 1 Zephyr-one | 1 Zephyr Project Manager | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
|
|||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2024-11-21 | N/A | 5.3 MEDIUM |
|
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
|
|||||
| CVE-2022-2657 | 1 Wc-marketplace | 1 Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF
|
|||||
| CVE-2022-2555 | 1 Yotpo Reviews For Woocommerce Project | 1 Yotpo Reviews For Woocommerce | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.
|
|||||
| CVE-2022-2540 | 1 Link Optimizer Lite Project | 1 Link Optimizer Lite | 2024-11-21 | N/A | 8.8 HIGH |
|
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-2441 | 1 Orangelab | 1 Imagemagick Engine | 2024-11-21 | N/A | 8.8 HIGH |
|
The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access ...
Show More |
|||||
| CVE-2022-2432 | 1 Lightspeedhq | 1 Ecwid Ecommerce Shopping Cart | 2024-11-21 | N/A | 8.8 HIGH |
|
The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.10.23. This is due to missing or incorrect nonce validation on the ecwid_update_plugin_params function. This makes it possible for unauthenticated attackers to update plugin options granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-2389 | 1 Funnelkit | 1 Funnelkit Automations | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations
|
|||||
| CVE-2022-2388 | 1 Wow-company | 1 Wp Coder | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The WP Coder WordPress plugin before 2.5.3 does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack
|
|||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options.
|
|||||
| CVE-2022-2381 | 1 E Unlocked - Student Result Project | 1 E Unlocked - Student Result | 2024-11-21 | N/A | 8.8 HIGH |
|
The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack
|
|||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog
|
|||||
| CVE-2022-2375 | 1 Okapitech | 1 Wp Sticky Button | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The WP Sticky Button WordPress plugin before 1.4.1 does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2022-2353 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
|
|||||
| CVE-2022-2350 | 1 Brainvire | 1 Disable User Login | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will.
|
|||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting
|
|||||
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog
|
|||||
| CVE-2022-2275 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Edit Menu WordPress plugin before 1.5.0 does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack
|
|||||
| CVE-2022-2260 | 1 Givewp | 1 Givewp | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
|
|||||
| CVE-2022-2245 | 1 Wow-company | 1 Counter Box | 2024-11-21 | N/A | 8.8 HIGH |
|
The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks
|
|||||
| CVE-2022-2184 | 1 Wpwhitesecurity | 1 Captcha 4wp | 2024-11-21 | N/A | 8.8 HIGH |
|
The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.
|
|||||
| CVE-2022-2172 | 1 Linkworth | 1 Linkworth | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.
|
|||||
| CVE-2022-2171 | 1 Crowdfavorite | 1 Progressive License | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.
|
|||||
| CVE-2022-2146 | 1 Import Csv Files Project | 1 Import Csv Files | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-2144 | 1 Jquery Validation For Contact Form 7 Project | 1 Jquery Validation For Contact Form 7 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack
|
|||||
| CVE-2022-2123 | 1 Wp Opt-in Project | 1 Wp Opt-in | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails.
|
|||||
| CVE-2022-2091 | 1 Cache Images Project | 1 Cache Images | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack.
|
|||||
| CVE-2022-2071 | 1 Name Directory Project | 1 Name Directory | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them.
|
|||||
| CVE-2022-29905 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.
|
|||||
| CVE-2022-29903 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.
|
|||||
| CVE-2022-29735 | 1 Deltacontrols | 2 Entelitouch, Entelitouch Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 allows attackers to execute arbitrary commands via a crafted HTTP request.
|
|||||
| CVE-2022-29647 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
|
|||||