Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29400 | 1 Netexplorer | 1 My Smtp Contact | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authenticated admin visits a malicious third-party site.
|
|||||
| CVE-2021-29349 | 1 Mahara | 1 Mahara | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.
|
|||||
| CVE-2021-29238 | 1 Codesys | 1 Automation Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CODESYS Automation Server before 1.16.0 allows cross-site request forgery (CSRF).
|
|||||
| CVE-2021-29054 | 1 Papoo | 1 Papoo | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Certain Papoo products are affected by: Cross Site Request Forgery (CSRF) in the admin interface. This affects Papoo CMS Light through 21.02 and Papoo CMS Pro through 6.0.1. The impact is: gain privileges (remote).
|
|||||
| CVE-2021-29050 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page.
|
|||||
| CVE-2021-28490 | 1 Owasp | 1 Csrfguard | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token.
|
|||||
| CVE-2021-28280 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML
|
|||||
| CVE-2021-28070 | 1 Popojicms | 1 Popojicms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability exist in PopojiCMS 2.0.1 in po-admin/route.php?mod=user&act=multidelete.
|
|||||
| CVE-2021-27927 | 1 Zabbix | 1 Zabbix | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
|
|||||
| CVE-2021-27885 | 1 E107 | 1 E107 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
|
|||||
| CVE-2021-27759 | 1 Hcltech | 1 Bigfix Inventory | 2024-11-21 | 4.3 MEDIUM | 2.3 LOW |
|
This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application.
|
|||||
| CVE-2021-27758 | 1 Hcltech | 1 Bigfix Inventory | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account.
|
|||||
| CVE-2021-27557 | 1 Easycorp | 1 Zentao | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job.
|
|||||
| CVE-2021-27181 | 1 Altn | 1 Mdaemon | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the value of the anti-CSRF token, the attacker may trick the user into visiting his malicious page and performing any request with the privileges of attacked user.
|
|||||
| CVE-2021-26961 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level ...
Show More |
|||||
| CVE-2021-26960 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level ...
Show More |
|||||
| CVE-2021-26800 | 1 User Management System In Php Stored Procedure Project | 1 User Management System In Php Stored Procedure | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.
|
|||||
| CVE-2021-26474 | 1 Vembu | 2 Bdr Suite, Offsite Dr | 2024-11-21 | 6.8 MEDIUM | 8.6 HIGH |
|
Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.)
|
|||||
| CVE-2021-26296 | 2 Apache, Netapp | 2 Myfaces, Oncommand Insight | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
|
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
|
|||||
| CVE-2021-26216 | 1 Seeddms | 1 Seeddms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php.
|
|||||
| CVE-2021-26215 | 1 Seeddms | 1 Seeddms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php.
|
|||||
| CVE-2021-26071 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
|
|||||
| CVE-2021-26034 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
|
|||||
| CVE-2021-26033 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
|
|||||
| CVE-2021-25976 | 1 Dotnetfoundation | 1 Piranha Cms | 2024-11-21 | 4.0 MEDIUM | 8.1 HIGH |
|
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.
|
|||||
| CVE-2021-25965 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
|
|||||
| CVE-2021-25924 | 1 Thoughtworks | 1 Gocd | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
|
|||||
| CVE-2021-25765 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.
|
|||||
| CVE-2021-25327 | 1 Skyworthdigital | 2 Rn510, Rn510 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as the above pages are vulnerable to cross-site scripting (XSS).
|
|||||
| CVE-2021-25326 | 1 Skyworthdigital | 2 Rn510, Rn510 Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web UI password may be disclosed.
|
|||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.
|
|||||
| CVE-2021-25108 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
|
The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
|
|||||
| CVE-2021-25098 | 1 Fatcatapps | 1 Easy Pricing Tables | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Pricing Tables WordPress Plugin WordPress plugin before 3.1.3 does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash
|
|||||
| CVE-2021-25097 | 1 Creativityjuice | 1 Labtools | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication
|
|||||
| CVE-2021-25095 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
|
|||||
| CVE-2021-25092 | 1 Ylefebvre | 1 Link Library | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack
|
|||||
| CVE-2021-25081 | 1 Wpgooglemap | 1 Wp Google Map | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack
|
|||||
| CVE-2021-25073 | 1 Webmaster-source | 1 Wp125 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
|
|||||
| CVE-2021-25072 | 1 Nextscripts | 1 Social Networks Auto Poster | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack
|
|||||
| CVE-2021-25053 | 1 Wow-company | 1 Wp Coder | 2024-11-21 | 5.1 MEDIUM | 8.8 HIGH |
|
The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
|
|||||