Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-20787 | 1 Cisco | 1 Unified Communications Manager | 2022-05-04 | 6.0 MEDIUM | 6.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2021-32929 | 1 Uffizio | 1 Gps Tracker | 2022-05-03 | 6.8 MEDIUM | 8.8 HIGH |
| All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user. | |||||
| CVE-2015-0541 | 1 Rsa | 1 Web Threat Detection | 2022-04-30 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in EMC RSA Web Threat Detection before 5.1 allows remote attackers to hijack the authentication of arbitrary users. | |||||
| CVE-2012-6342 | 1 Atlassian | 1 Confluence Server | 2022-04-30 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators for requests that logout the user via a comment. | |||||
| CVE-2021-37198 | 1 Siemens | 1 Comos | 2022-04-29 | 5.1 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS uses a flawed implementation of CSRF prevention. An attacker could exploit this vulnerability to perform cross-site request forgery attacks. | |||||
| CVE-2020-12502 | 2 Korenix, Pepperl-fuchs | 46 Jetnet 4510, Jetnet 4510 Firmware, Jetnet 4706 and 43 more | 2022-04-29 | 6.8 MEDIUM | 8.8 HIGH |
| Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below is prone to unauthenticated device administration. | |||||
| CVE-2021-26474 | 1 Vembu | 2 Bdr Suite, Offsite Dr | 2022-04-29 | 6.8 MEDIUM | 8.8 HIGH |
| Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.) | |||||
| CVE-2022-27629 | 1 Videowhisper | 1 Micropayments | 2022-04-28 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors. | |||||
| CVE-2022-28108 | 1 Selenium | 1 Selenium Grid | 2022-04-27 | 9.3 HIGH | 8.8 HIGH |
| Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. | |||||
| CVE-2022-23349 | 1 Bigantsoft | 1 Bigant Server | 2022-04-27 | 6.8 MEDIUM | 8.8 HIGH |
| BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF). | |||||
| CVE-2021-4096 | 1 Radykal | 1 Fancy Product Designer | 2022-04-27 | 6.8 MEDIUM | 8.8 HIGH |
| The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5. | |||||
| CVE-2022-1112 | 1 Autolinks Project | 1 Autolinks | 2022-04-27 | 3.5 LOW | 5.4 MEDIUM |
| The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attack | |||||
| CVE-2022-23975 | 1 Accesspressthemes | 1 Access Demo Importer | 2022-04-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin. | |||||
| CVE-2022-23976 | 1 Accesspressthemes | 1 Access Demo Importer | 2022-04-26 | 5.8 MEDIUM | 8.1 HIGH |
| Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media). | |||||
| CVE-2021-21275 | 2 Oracle, Report Project | 3 Communications Cloud Native Core Network Slice Selection Function, Communications Pricing Design Center, Report | 2022-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens. | |||||
| CVE-2021-27927 | 1 Zabbix | 1 Zabbix | 2022-04-26 | 6.8 MEDIUM | 8.8 HIGH |
| In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. | |||||
| CVE-2021-28280 | 1 Php-fusion | 1 Phpfusion | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML | |||||
| CVE-2021-43953 | 1 Atlassian | 2 Data Center, Jira | 2022-04-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | |||||
| CVE-2022-0707 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2022-04-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack | |||||
| CVE-2022-28109 | 1 Selenium | 1 Selenium Grid | 2022-04-25 | 6.8 MEDIUM | 8.8 HIGH |
| Selenium Selenium Grid (formerly Selenium Standalone Server) Fixed in 4.0.0-alpha-7 is affected by: DNS rebinding. The impact is: execute arbitrary code (remote). The component is: WebDriver endpoint of Selenium Grid / Selenium Standalone Server. The attack vector is: Triggered by browsing to to a malicious remote web server. The WebDriver endpoint of Selenium Server (Grid) is vulnerable to DNS rebinding. This can be used to execute arbitrary code on the machine. | |||||