Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45674 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2022-12-05 | N/A | 6.5 MEDIUM |
| Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot. | |||||
| CVE-2022-45673 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2022-12-05 | N/A | 6.5 MEDIUM |
| Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet. | |||||
| CVE-2022-45667 | 1 Tenda | 2 I22, I22 Firmware | 2022-12-05 | N/A | 6.5 MEDIUM |
| Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet. | |||||
| CVE-2022-45668 | 1 Tenda | 2 I22, I22 Firmware | 2022-12-05 | N/A | 6.5 MEDIUM |
| Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot. | |||||
| CVE-2022-4218 | 1 Kibokolabs | 1 Chained Quiz | 2022-12-05 | N/A | 4.3 MEDIUM |
| The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_quizzes() function. This makes it possible for unauthenticated attackers to delete quizzes and copy quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-4219 | 1 Kibokolabs | 1 Chained Quiz | 2022-12-05 | N/A | 4.3 MEDIUM |
| The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the manage() function. This makes it possible for unauthenticated attackers to delete submitted quiz responses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-4220 | 1 Kibokolabs | 1 Chained Quiz | 2022-12-05 | N/A | 4.3 MEDIUM |
| The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-38139 | 1 Rdstation | 1 Rd Station | 2022-12-03 | N/A | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress. | |||||
| CVE-2022-3847 | 1 Showing Url In Qr Code Project | 1 Showing Url In Qr Code | 2022-12-02 | N/A | 6.1 MEDIUM |
| The Showing URL in QR Code WordPress plugin through 0.0.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin or editor add Stored XSS payloads via a CSRF attack | |||||
| CVE-2019-4212 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2022-12-02 | 6.8 MEDIUM | 8.8 HIGH |
| IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159132. | |||||
| CVE-2022-40489 | 1 Thinkcmf | 1 Thinkcmf | 2022-12-02 | N/A | 8.8 HIGH |
| ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users. | |||||
| CVE-2022-26366 | 1 Adrotate Banner Manager Project | 1 Adrotate Banner Manager | 2022-12-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress. | |||||
| CVE-2022-41413 | 1 Perfsonar | 1 Perfsonar | 2022-12-02 | N/A | 4.3 MEDIUM |
| perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function. | |||||
| CVE-2022-44937 | 1 Bosscms | 1 Bosscms | 2022-12-01 | N/A | 6.5 MEDIUM |
| Bosscms v2.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Add function under the Administrator List module. | |||||
| CVE-2022-34654 | 1 Freeamigos | 1 Manage Notification E-mails | 2022-12-01 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in Virgial Berveling's Manage Notification E-mails plugin <= 1.8.2 on WordPress. | |||||
| CVE-2022-3747 | 1 Muffingroup | 1 Becustom | 2022-12-01 | N/A | 6.5 MEDIUM |
| The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-3898 | 1 Wp Affiliate Platform Project | 1 Wp Affiliate Platform | 2022-12-01 | N/A | 6.5 MEDIUM |
| The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-41925 | 1 Tailscale | 1 Tailscale | 2022-12-01 | N/A | 8.8 HIGH |
| A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue. | |||||
| CVE-2022-41924 | 2 Microsoft, Tailscale | 2 Windows, Tailscale | 2022-12-01 | N/A | 9.6 CRITICAL |
| A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue. | |||||
| CVE-2019-6561 | 1 Moxa | 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more | 2022-11-30 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery has been identified in Moxa IKS and EDS, which may allow for the execution of unauthorized actions on the device. | |||||