Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20846 | 1 Delitestudio | 1 Push Notifications For Wordpress | 2021-11-29 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page. | |||||
| CVE-2021-20845 | 1 Xml-sitemaps | 1 Unlimited Sitemap Generator | 2021-11-26 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page. | |||||
| CVE-2021-20842 | 1 Ec-cube | 1 Ec-cube | 2021-11-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page. | |||||
| CVE-2021-39353 | 1 Easyregistrationforms | 1 Easy Registration Forms | 2021-11-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1. | |||||
| CVE-2021-24641 | 1 Imagestowebp Project | 1 Images To Webp | 2021-11-24 | 5.8 MEDIUM | 8.1 HIGH |
| The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion | |||||
| CVE-2021-41273 | 1 Pterodactyl | 1 Panel | 2021-11-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems. | |||||
| CVE-2021-41274 | 1 Nebulab | 1 Solidus Auth Devise | 2021-11-23 | 6.8 MEDIUM | 8.8 HIGH |
| solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details. | |||||
| CVE-2021-39198 | 1 Oroinc | 1 Client Relationship Management | 2021-11-23 | 5.8 MEDIUM | 5.4 MEDIUM |
| OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package. | |||||
| CVE-2021-34358 | 1 Qnap | 2 Nas, Qmailagent | 2021-11-23 | 6.8 MEDIUM | 8.8 HIGH |
| We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later | |||||
| CVE-2021-3957 | 1 Kimai | 1 Kimai 2 | 2021-11-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3976 | 1 Kimai | 1 Kimai 2 | 2021-11-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3963 | 1 Kimai | 1 Kimai 2 | 2021-11-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-44036 | 1 Teampasswordmanager | 1 Team Password Manager | 2021-11-22 | 6.8 MEDIUM | 8.8 HIGH |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 has a CSRF vulnerability during import. | |||||
| CVE-2021-36908 | 1 Webfactoryltd | 1 Wp Reset Pro | 2021-11-19 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability leading to Database Reset in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows attackers to trick authenticated into making unintentional database reset. | |||||
| CVE-2021-24804 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2021-11-19 | 6.8 MEDIUM | 8.8 HIGH |
| The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. | |||||
| CVE-2021-24853 | 1 Qr Redirector Project | 1 Qr Redirector | 2021-11-19 | 4.3 MEDIUM | 4.3 MEDIUM |
| The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects | |||||
| CVE-2021-24802 | 1 Gesundheit-bewegt | 1 Colorful Categories | 2021-11-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack | |||||
| CVE-2021-24776 | 1 Wp Performance Score Booster Project | 1 Wp Performance Score Booster | 2021-11-19 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2020-15151 | 2 Magento, Openmage | 2 Magento, Openmage Long Term Support | 2021-11-18 | 4.0 MEDIUM | 8.0 HIGH |
| OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2. | |||||
| CVE-2021-25976 | 1 Dotnetfoundation | 1 Piranha Cms | 2021-11-17 | 4.0 MEDIUM | 8.1 HIGH |
| In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known. | |||||