Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4846 | 1 Usememos | 1 Memos | 2023-01-05 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4845 | 1 Usememos | 1 Memos | 2023-01-05 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4844 | 1 Usememos | 1 Memos | 2023-01-05 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-4266 | 1 Speakdigital | 1 Bulk Delete Users By Email | 2023-01-04 | N/A | 6.5 MEDIUM |
| The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack | |||||
| CVE-2022-46491 | 1 Nbnbk Project | 1 Nbnbk | 2022-12-30 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability in the Add Administrator function of the default version of nbnbk allows attackers to arbitrarily add Administrator accounts. | |||||
| CVE-2022-4633 | 1 Auto Upload Images Project | 1 Auto Upload Images | 2022-12-30 | N/A | 8.8 HIGH |
| A vulnerability was found in Auto Upload Images up to 3.3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file src/setting-page.php of the component Settings Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. Upgrading to version 3.3.1 is able to address this issue. The name of the patch is 895770ee93887ec78429c78ffdfb865bee6f9436. It is recommended to upgrade the affected component. VDB-216482 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-4646 | 1 Ikus-soft | 1 Rdiffweb | 2022-12-29 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.5.4. | |||||
| CVE-2020-36625 | 1 Destiny | 1 Chat | 2022-12-28 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-4275 | 1 Pyambic-pentameter Project | 1 Pyambic-pentameter | 2022-12-28 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 974f21aa1b2527ef39c8afe1a5060548217deca8. It is recommended to apply a patch to fix this issue. VDB-216498 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-4268 | 1 Phpredisadmin Project | 1 Phpredisadmin | 2022-12-28 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as problematic, was found in phpRedisAdmin up to 1.17.3. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 1.18.0 is able to address this issue. The name of the patch is b9039adbb264c81333328faa9575ecf8e0d2be94. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216471. | |||||
| CVE-2020-36623 | 1 Pengu Project | 1 Pengu | 2022-12-28 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475. | |||||
| CVE-2020-36622 | 1 Bienlein Project | 1 Bienlein | 2022-12-28 | N/A | 6.5 MEDIUM |
| A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is d7836a4f2b241e4745ede194f0f6fb47199cab6b. It is recommended to apply a patch to fix this issue. The identifier VDB-216473 was assigned to this vulnerability. | |||||
| CVE-2022-4107 | 1 Cedcommerce | 1 Smsa Shipping For Woocommerce | 2022-12-23 | N/A | 6.5 MEDIUM |
| The SMSA Shipping for WooCommerce WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server | |||||
| CVE-2022-4125 | 1 Popup Manager Project | 1 Popup Manager | 2022-12-22 | N/A | 4.3 MEDIUM |
| The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well | |||||
| CVE-2022-4124 | 1 Popup Manager Project | 1 Popup Manager | 2022-12-22 | N/A | 4.3 MEDIUM |
| The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them | |||||
| CVE-2022-4058 | 1 10web | 1 Photo Gallery | 2022-12-22 | N/A | 5.4 MEDIUM |
| The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. | |||||
| CVE-2022-4024 | 1 Genetechsolutions | 1 Pie Register | 2022-12-22 | N/A | 6.5 MEDIUM |
| The Registration Forms WordPress plugin before 3.8.1.3 does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users (along with their posts) | |||||
| CVE-2021-24639 | 1 Ffw | 1 Omgf | 2022-12-20 | 5.5 MEDIUM | 8.1 HIGH |
| The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. | |||||
| CVE-2021-24618 | 1 Wbolt | 1 Donate With Qrcode | 2022-12-20 | 3.5 LOW | 5.4 MEDIUM |
| The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack. | |||||
| CVE-2021-24584 | 1 Motopress | 1 Timetable And Event Schedule | 2022-12-20 | 3.5 LOW | 5.4 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues | |||||