Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4425 | 1 Wpmudev | 1 Defender Security | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it possible for unauthenticated attackers to verify a one time login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-4418 | 1 Wpfactory | 1 Custom Css\, Js \& Php | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-4398 | 1 Amministrazione Trasparente Project | 1 Amministrazione Trasparente | 2024-11-21 | N/A | 8.8 HIGH |
|
The Amministrazione Trasparente plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.1. This is due to missing or incorrect nonce validation on the at_save_aturl_meta() function. This makes it possible for unauthenticated attackers to update meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-4389 | 1 Wensolutions | 1 Wp Travel | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-4373 | 1 Webberzone | 1 Better Search | 2024-11-21 | N/A | 8.8 HIGH |
|
The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-4349 | 1 Coolplugins | 1 Process Steps Template Designer | 2024-11-21 | N/A | 8.8 HIGH |
|
The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to conduct unspecified attacks via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-4275 | 1 Pyambic-pentameter Project | 1 Pyambic-pentameter | 2024-11-21 | N/A | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 974f21aa1b2527ef39c8afe1a5060548217deca8. It is recommended to apply a patch to fix this issue. VDB-216498 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2021-4268 | 1 Phpredisadmin Project | 1 Phpredisadmin | 2024-11-21 | N/A | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in phpRedisAdmin up to 1.17.3. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 1.18.0 is able to address this issue. The name of the patch is b9039adbb264c81333328faa9575ecf8e0d2be94. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216471.
|
|||||
| CVE-2021-4168 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4164 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4162 | 1 Archivy Project | 1 Archivy | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
archivy is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4131 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4130 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4123 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4096 | 1 Radykal | 1 Fancy Product Designer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.
|
|||||
| CVE-2021-4092 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4082 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
pimcore is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4049 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4033 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4030 | 1 Zyxel | 4 Nbg6816, Nbg6816 Firmware, Nbg6817 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
|
A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts.
|
|||||
| CVE-2021-4017 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4015 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-4005 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2021-46426 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
|
|||||
| CVE-2021-46398 | 1 Filebrowser | 1 Filebrowser | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.
|
|||||
| CVE-2021-46366 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
|
|||||
| CVE-2021-46252 | 1 Scratch-wiki | 1 Scratch Confirmaccount V3 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.
|
|||||
| CVE-2021-46147 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
|
|||||
| CVE-2021-46080 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
|
|||||
| CVE-2021-46028 | 1 Mblog Project | 1 Mblog | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted.
|
|||||
| CVE-2021-45886 | 1 Ponton | 1 X\/p Messenger | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) can be used to confirm actions of higher-privileged ones (such as xpadmin).
|
|||||
| CVE-2021-45785 | 1 Trudesk Project | 1 Trudesk | 2024-11-21 | N/A | 6.5 MEDIUM |
|
TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage.
|
|||||
| CVE-2021-45326 | 1 Gitea | 1 Gitea | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
|
|||||
| CVE-2021-45268 | 1 Backdropcms | 1 Backdrop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons
|
|||||
| CVE-2021-45017 | 1 Catfish-cms | 1 Catfish Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add Menu column.
|
|||||
| CVE-2021-45007 | 1 Plesk | 1 Plesk | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users
|
|||||
| CVE-2021-44942 | 1 Glfusion | 1 Glfusion | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist.
|
|||||
| CVE-2021-44777 | 1 Email Tracker Project | 1 Email Tracker | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).
|
|||||
| CVE-2021-44321 | 1 Mini-inventory-and-sales-management-system Project | 1 Mini-inventory-and-sales-management-system | 2024-11-21 | 4.3 MEDIUM | 5.0 MEDIUM |
|
Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items.
|
|||||
| CVE-2021-44312 | 1 Firmware Analysis And Comparison Tool Project | 1 Firmware Analysis And Comparison Tool | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page.
|
|||||