Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42246 | 1 Duofoxtechnologies | 1 Duofox Cms | 2022-11-17 | N/A | 8.8 HIGH |
| Doufox 0.0.4 contains a CSRF vulnerability that can add system administrator account. | |||||
| CVE-2022-43693 | 1 Concretecms | 1 Concrete Cms | 2022-11-17 | N/A | 8.8 HIGH |
| Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | |||||
| CVE-2019-15062 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.0 MEDIUM | 8.0 HIGH |
| An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.) | |||||
| CVE-2020-11825 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.8 MEDIUM | 8.8 HIGH |
| In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation. | |||||
| CVE-2019-1010054 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.8 MEDIUM | 8.8 HIGH |
| Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls. | |||||
| CVE-2022-4013 | 1 Hospital Management Center Project | 1 Hospital Management Center | 2022-11-17 | N/A | 8.8 HIGH |
| A vulnerability classified as problematic was found in Hospital Management Center. Affected by this vulnerability is an unknown functionality of the file appointment.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-213787. | |||||
| CVE-2022-3240 | 1 Follow Me Plugin Project | 1 Follow Me Plugin | 2022-11-16 | N/A | 8.8 HIGH |
| The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-35613 | 1 Konker | 1 Konker Platform | 2022-11-16 | N/A | 8.8 HIGH |
| Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF). | |||||
| CVE-2022-43323 | 1 Eyoucms | 1 Eyoucms | 2022-11-16 | N/A | 8.8 HIGH |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module. | |||||
| CVE-2022-44387 | 1 Eyoucms | 1 Eyoucms | 2022-11-16 | N/A | 8.8 HIGH |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module. | |||||
| CVE-2022-44389 | 1 Eyoucms | 1 Eyoucms | 2022-11-16 | N/A | 6.5 MEDIUM |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information. | |||||
| CVE-2022-3632 | 1 Digitialpixies | 1 Oauth Client | 2022-11-16 | N/A | 6.5 MEDIUM |
| The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. | |||||
| CVE-2022-3538 | 1 Webmaster Tools Verification Project | 1 Webmaster Tools Verification | 2022-11-16 | N/A | 6.5 MEDIUM |
| The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins | |||||
| CVE-2022-2449 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2022-11-16 | N/A | 6.5 MEDIUM |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. | |||||
| CVE-2020-25015 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2022-11-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. | |||||
| CVE-2020-24373 | 1 Free | 10 Freebox Delta, Freebox Delta Firmware, Freebox Mini and 7 more | 2022-11-16 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2022-45130 | 1 Plesk | 1 Obsidian | 2022-11-15 | N/A | 6.5 MEDIUM |
| Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers. | |||||
| CVE-2021-36886 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2022-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9). | |||||
| CVE-2022-43031 | 1 Dedecms | 1 Dedecms | 2022-11-10 | N/A | 8.8 HIGH |
| DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords. | |||||
| CVE-2022-3536 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2022-11-09 | N/A | 8.8 HIGH |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog | |||||