Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32776 | 1 Combodo | 1 Itop | 2024-11-21 | 6.8 MEDIUM | 6.8 MEDIUM |
|
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.
|
|||||
| CVE-2021-32774 | 1 Miraheze | 1 Datadump | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump.
|
|||||
| CVE-2021-32732 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on send ...
Show More |
|||||
| CVE-2021-32730 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 4.3 MEDIUM | 5.7 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. The problem has been patched in XWiki 12.10.5 and 13.2RC1. As a workaround, it is possible to apply the patch manually by modifying the `register_macros.vm` template.
|
|||||
| CVE-2021-32677 | 2 Fedoraproject, Tiangolo | 2 Fedora, Fastapi | 2024-11-21 | 5.8 MEDIUM | 8.2 HIGH |
|
FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. applicatio ...
Show More |
|||||
| CVE-2021-32632 | 1 Pajbot | 1 Pajbot | 2024-11-21 | 4.3 MEDIUM | 2.4 LOW |
|
Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add one modern dependency.
|
|||||
| CVE-2021-32424 | 1 Trendnet | 2 Tw100-s4w1ca, Tw100-s4w1ca Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
|
|||||
| CVE-2021-32403 | 1 Intelbras | 2 Rf 301k, Rf 301k Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules.
|
|||||
| CVE-2021-32402 | 1 Intelbras | 2 Rf 301k, Rf 301k Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.
|
|||||
| CVE-2021-32162 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.
|
|||||
| CVE-2021-32159 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
|
|||||
| CVE-2021-32156 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
|
|||||
| CVE-2021-32122 | 1 Netgear | 8 Ex3700, Ex3700 Firmware, Ex3800 and 5 more | 2024-11-21 | 5.4 MEDIUM | 9.8 CRITICAL |
|
Certain NETGEAR devices are affected by CSRF. This affects EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, and EX6130 before 1.0.0.44.
|
|||||
| CVE-2021-32096 | 1 Nsa | 1 Emissary | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
|
|||||
| CVE-2021-32073 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
|
|||||
| CVE-2021-31762 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
|
|||||
| CVE-2021-31760 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
|
|||||
| CVE-2021-31679 | 1 Pescms | 1 Pescms Team | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that allows attackers to delete admin and other members' account numbers.
|
|||||
| CVE-2021-31678 | 1 Pescms | 1 Pescms Team | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's company.
|
|||||
| CVE-2021-31677 | 1 Pescms | 1 Pescms Team | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can modify admin and other members' passwords.
|
|||||
| CVE-2021-31659 | 1 Tp-link | 4 Tl-sg2005, Tl-sg2005 Firmware, Tl-sg2008 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication information. A malicious link opened by the switch administrator may cause the password of the switch to be modified and the configuration file to be tampered with.
|
|||||
| CVE-2021-31631 | 1 B2evolution | 1 B2evolution Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.
|
|||||
| CVE-2021-31604 | 1 Openvpn-monitor Project | 1 Openvpn-monitor | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.
|
|||||
| CVE-2021-31584 | 1 Sipwise | 1 Next Generation Communication Platform | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges.
|
|||||
| CVE-2021-31152 | 1 Multilaser | 2 Ac1200 Re018, Ac1200 Re018 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. An attacker can enable remote access, change passwords, and perform other actions through misconfigured requests, entries, and headers.
|
|||||
| CVE-2021-30224 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.
|
|||||
| CVE-2021-30147 | 1 Dmasoftlab | 1 Radius Manager | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php.
|
|||||
| CVE-2021-30114 | 1 Web-school | 1 Enterprise Resource Planning | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege.
|
|||||
| CVE-2021-30112 | 1 Web-school | 1 Enterprise Resource Planning | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege.
|
|||||
| CVE-2021-29995 | 1 Cloverdx | 1 Cloverdx | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1.
|
|||||
| CVE-2021-29888 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 207123.
|
|||||
| CVE-2021-29837 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204913.
|
|||||
| CVE-2021-29823 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | N/A | 6.5 MEDIUM |
|
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204465.
|
|||||
| CVE-2021-29816 | 3 Ibm, Linux, Microsoft | 4 Aix, Jazz For Service Management, Linux Kernel and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204341.
|
|||||
| CVE-2021-29757 | 1 Ibm | 1 Qradar User Behavior Analytics | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202168.
|
|||||
| CVE-2021-29756 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202167.
|
|||||
| CVE-2021-29660 | 1 Softing | 1 Opc Toolbox | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.
|
|||||
| CVE-2021-29624 | 1 Fastify | 1 Fastify-csrf | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is ...
Show More |
|||||
| CVE-2021-29436 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password. The vulnerability is fixed in Time Tracker version 1.19.27.5431. Upgrade is recommended. If upgrade is not practical, int ...
Show More |
|||||
| CVE-2021-29435 | 1 Trestle-auth Project | 1 Trestle-auth | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
|
trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials. The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.
|
|||||