Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2172 | 1 Linkworth | 1 Linkworth | 2022-08-24 | N/A | 4.3 MEDIUM |
| The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. | |||||
| CVE-2021-24912 | 1 Transposh | 1 Transposh Wordpress Translation | 2022-08-24 | N/A | 5.4 MEDIUM |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin | |||||
| CVE-2022-29468 | 1 Wwbn | 1 Avideo | 2022-08-24 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
| CVE-2022-2555 | 1 Yotpo Reviews For Woocommerce Project | 1 Yotpo Reviews For Woocommerce | 2022-08-23 | N/A | 6.5 MEDIUM |
| The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2022-1251 | 1 Inkthemes | 1 Ask Me | 2022-08-23 | N/A | 4.3 MEDIUM |
| The Ask me WordPress theme before 6.8.4 does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request. | |||||
| CVE-2022-34347 | 1 Wpdownloadmanager | 1 Wordpress Download Manager | 2022-08-23 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at WordPress. | |||||
| CVE-2022-36346 | 1 Maxfoundry | 1 Maxbuttons | 2022-08-23 | N/A | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress. | |||||
| CVE-2021-36852 | 1 Thimpress | 1 Wp Hotel Booking | 2022-08-23 | N/A | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress. | |||||
| CVE-2022-35656 | 1 Pega | 1 Pega Platform | 2022-08-23 | N/A | 4.5 MEDIUM |
| Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly. | |||||
| CVE-2022-36225 | 1 Eyoucms | 1 Eyoucms | 2022-08-22 | N/A | 8.8 HIGH |
| EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery (CSRF) via the background, column management function and add. | |||||
| CVE-2022-36577 | 1 Jizhicms | 1 Jizhicms | 2022-08-22 | N/A | 8.8 HIGH |
| An issue was discovered in jizhicms v2.3.1. There is a CSRF vulnerability that can add a admin. | |||||
| CVE-2022-36579 | 1 Wellcms | 1 Wellcms | 2022-08-22 | N/A | 8.8 HIGH |
| Wellcms 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF). | |||||
| CVE-2022-36224 | 1 Xunruicms | 1 Xunruicms | 2022-08-22 | N/A | 8.8 HIGH |
| XunRuiCMS V4.5.6 is vulnerable to Cross Site Request Forgery (CSRF). | |||||
| CVE-2020-10504 | 1 Chadhaajay | 1 Phpkb | 2022-08-19 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF in admin/edit-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit a comment, given the id, via a crafted request. | |||||
| CVE-2022-23765 | 1 Iptime | 6 Nas1dual, Nas1dual Firmware, Nas2dual and 3 more | 2022-08-19 | N/A | 8.8 HIGH |
| This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request. | |||||
| CVE-2022-36312 | 1 Airspan | 2 Airvelocity 1500, Airvelocity 1500 Firmware | 2022-08-17 | N/A | 8.8 HIGH |
| Airspan AirVelocity 1500 software version 15.18.00.2511 lacks CSRF protections in the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models. | |||||
| CVE-2022-38359 | 1 Eyeofnetwork | 1 Eyes Of Network Web | 2022-08-17 | N/A | 8.8 HIGH |
| Cross-site request forgery attacks can be carried out against the Eyes of Network web application, due to an absence of adequate protections. An attacker can, for instance, delete the admin user by directing an authenticated user to the URL https://<target-address>/module/admin_user/index.php?DataTables_Table_0_length=10&user_selected%5B%5D=1&user_mgt_list=delete_user&action=submit by means of a crafted link. | |||||
| CVE-2022-2381 | 1 E Unlocked - Student Result Project | 1 E Unlocked - Student Result | 2022-08-16 | N/A | 8.8 HIGH |
| The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack | |||||
| CVE-2022-35943 | 1 Codeigniter | 2 Codeigniter, Shield | 2022-08-16 | N/A | 8.8 HIGH |
| Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match) | |||||
| CVE-2022-37043 | 1 Zimbra | 1 Collaboration | 2022-08-16 | N/A | 5.7 MEDIUM |
| An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds. | |||||