Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20468 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2022-11-03 | N/A | 6.5 MEDIUM |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 196825. | |||||
| CVE-2020-4301 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2022-11-03 | N/A | 6.5 MEDIUM |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176609. | |||||
| CVE-2022-1956 | 1 Shortcut Macros Project | 1 Shortcut Macros | 2022-11-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Shortcut Macros WordPress plugin through 1.3 does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. | |||||
| CVE-2022-40291 | 1 Phppointofsale | 1 Php Point Of Sale | 2022-11-02 | N/A | 8.8 HIGH |
| The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts. | |||||
| CVE-2022-40488 | 1 Processwire | 1 Processwire | 2022-11-01 | N/A | 6.5 MEDIUM |
| ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF). | |||||
| CVE-2022-3419 | 1 Addify | 1 Automatic User Roles Switcher | 2022-11-01 | N/A | 6.5 MEDIUM |
| The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator | |||||
| CVE-2022-41996 | 1 Theme-fusion | 1 Avada | 2022-11-01 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. | |||||
| CVE-2022-2864 | 1 Superwhite | 1 Demon Image Annotation | 2022-10-31 | N/A | 8.8 HIGH |
| The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. This is due to missing nonce validation in the ~/includes/settings.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-43340 | 1 Dzzoffice | 1 Dzzoffice | 2022-10-31 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. | |||||
| CVE-2022-25192 | 1 Jenkins | 1 Snow Commander | 2022-10-28 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2020-18151 | 1 Thinkcmf | 1 Thinkcmf | 2022-10-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account. | |||||
| CVE-2021-24761 | 1 Bestwebsoft | 1 Error Log Viewer | 2022-10-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | |||||
| CVE-2022-29048 | 2 Apple, Jenkins | 2 Macos, Subversion | 2022-10-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2020-23376 | 1 5none | 1 Nonecms | 2022-10-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/nav/add.html, as demonstrated by adding a navigation column which can be injected with arbitrary web script or HTML via the name parameter to launch a stored XSS attack. | |||||
| CVE-2022-32175 | 1 Adguard | 1 Adguardhome | 2022-10-26 | N/A | 5.4 MEDIUM |
| In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules. | |||||
| CVE-2022-1757 | 1 Pagebar Project | 1 Pagebar | 2022-10-25 | 3.5 LOW | 5.4 MEDIUM |
| The pagebar WordPress plugin before 2.70 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues | |||||
| CVE-2022-2762 | 1 Adminpad Project | 1 Adminpad | 2022-10-25 | N/A | 6.5 MEDIUM |
| The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack | |||||
| CVE-2021-29624 | 1 Fastify | 1 Fastify-csrf | 2022-10-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. | |||||
| CVE-2021-24583 | 1 Motopress | 1 Timetable And Event Schedule | 2022-10-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability | |||||
| CVE-2021-24620 | 1 Simple-e-commerce-shopping-cart Project | 1 Simple-e-commerce-shopping-cart | 2022-10-25 | 6.8 MEDIUM | 8.8 HIGH |
| The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE | |||||