Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41927 | 1 Xwiki | 1 Xwiki | 2022-11-30 | N/A | 7.4 HIGH |
| XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end ``` | |||||
| CVE-2022-3850 | 1 Find And Replace All Project | 1 Find And Replace All | 2022-11-29 | N/A | 4.3 MEDIUM |
| The Find and Replace All WordPress plugin before 1.3 does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack | |||||
| CVE-2022-3097 | 1 Laubrotel | 1 Lbstopattack | 2022-11-29 | N/A | 6.5 MEDIUM |
| The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections. | |||||
| CVE-2020-5517 | 1 Blueonyx | 2 5209r, 5209r Firmware | 2022-11-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in the /login URI in BlueOnyx 5209R allows an attacker to access the dashboard and perform scraping or other analysis. | |||||
| CVE-2022-4090 | 1 Stock Management System Project | 1 Stock Management System | 2022-11-28 | N/A | 8.8 HIGH |
| A vulnerability was found in rickxy Stock Management System and classified as problematic. This issue affects some unknown processing of the file us_transac.php?action=add. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214331. | |||||
| CVE-2021-29334 | 1 Jizhicms | 1 Jizhicms | 2022-11-28 | N/A | 8.8 HIGH |
| An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html | |||||
| CVE-2022-44737 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2022-11-28 | N/A | 8.8 HIGH |
| Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress. | |||||
| CVE-2022-41919 | 1 Fastify | 1 Fastify | 2022-11-25 | N/A | 8.8 HIGH |
| Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'. | |||||
| CVE-2020-23592 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 8.8 HIGH |
| A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Reset ONU to Factory Default through ' /mgm_dev_reset.asp.' Resetting to default leads to Escalation of Privileges by logging-in with default credentials. | |||||
| CVE-2020-23590 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 6.5 MEDIUM |
| A vulnerability in Optilink OP-XT71000N Hardware version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack to change the Password for "WLAN SSID" through "wlwpa.asp". | |||||
| CVE-2020-23589 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 6.5 MEDIUM |
| A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to cause a Denial of Service by Rebooting the router through " /mgm_dev_reboot.asp." | |||||
| CVE-2020-23588 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 4.3 MEDIUM |
| A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to "Enable or Disable Ports" and to "Change port number" through " /rmtacc.asp ". | |||||
| CVE-2020-23587 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 3.1 LOW |
| A vulnerability found in the OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to men in the middle attack by adding New Routes in RoutingConfiguration on " /routing.asp ". | |||||
| CVE-2020-23586 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 4.3 MEDIUM |
| A vulnerability found in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Add Network Traffic Control Type Rule. | |||||
| CVE-2020-23593 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 6.5 MEDIUM |
| A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross site request forgery (CSRF) attack to enable syslog mode through ' /mgm_log_cfg.asp.' The system starts to log events, 'Remote' mode or 'Both' mode on "Syslog -- Configuration page" logs events and sends to remote syslog server IP and Port. | |||||
| CVE-2020-23585 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 8.8 HIGH |
| A remote attacker can conduct a cross-site request forgery (CSRF) attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgm_config_file.asp" because of which attacker can create a crafted "csrf form" which sends " malicious xml data" to "/boaform/admin/formMgmConfigUpload". the exploit allows attacker to "gain full privileges" and to "fully compromise of router & network". | |||||
| CVE-2022-41615 | 1 Agilelogix | 1 Store Locator | 2022-11-23 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress. | |||||
| CVE-2020-23582 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2022-11-23 | N/A | 6.5 MEDIUM |
| A vulnerability in the "/admin/wlmultipleap.asp" of optilink OP-XT71000N version: V2.2 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to create Multiple WLAN BSSID. | |||||
| CVE-2022-41634 | 1 Maxfoundry | 1 Media Library Folders | 2022-11-23 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress. | |||||
| CVE-2022-3763 | 1 Booster | 1 Booster For Woocommerce | 2022-11-23 | N/A | 8.1 HIGH |
| The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, Booster Elite for WooCommerce WordPress plugin before 1.1.7 do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack | |||||