Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25965 | 1 Calibre-web Project | 1 Calibre-web | 2021-11-17 | 6.8 MEDIUM | 8.8 HIGH |
| In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application. | |||||
| CVE-2021-3683 | 1 Showdoc | 1 Showdoc | 2021-11-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3775 | 1 Showdoc | 1 Showdoc | 2021-11-16 | 5.8 MEDIUM | 5.4 MEDIUM |
| showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3776 | 1 Showdoc | 1 Showdoc | 2021-11-16 | 5.8 MEDIUM | 5.4 MEDIUM |
| showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2020-21141 | 1 Idreamsoft | 1 Icms | 2021-11-16 | 6.8 MEDIUM | 8.8 HIGH |
| iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add. | |||||
| CVE-2021-3932 | 1 Area17 | 1 Twill | 2021-11-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| twill is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3931 | 1 Snipeitapp | 1 Snipe-it | 2021-11-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3921 | 1 Firefly-iii | 1 Firefly Iii | 2021-11-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-40518 | 1 Airangel | 10 Hsmx-app-100, Hsmx-app-1000, Hsmx-app-1000 Firmware and 7 more | 2021-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Airangel HSMX Gateway devices through 5.2.04 allow CSRF. | |||||
| CVE-2021-24832 | 1 Wp Seo Redirect 301 Project | 1 Wp Seo Redirect 301 | 2021-11-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2020-28137 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2021-11-12 | 7.1 HIGH | 6.5 MEDIUM |
| Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router. | |||||
| CVE-2021-41426 | 1 Beeline | 2 Smart Box, Smart Box Firmware | 2021-11-12 | 6.8 MEDIUM | 8.8 HIGH |
| Beeline Smart box 2.0.38 is vulnerable to Cross Site Request Forgery (CSRF) via mgt_end_user.htm. | |||||
| CVE-2021-41372 | 1 Microsoft | 1 Power Bi Report Server | 2021-11-12 | 6.8 MEDIUM | 9.6 CRITICAL |
| Power BI Report Server Spoofing Vulnerability | |||||
| CVE-2021-24767 | 1 Fullworks | 1 Redirect 404 Error Page To Homepage Or Custom Page With Logs | 2021-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-24766 | 1 404 To 301 Project | 1 404 To 301 | 2021-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack | |||||
| CVE-2013-0205 | 2 Drupal, Restful Web Services Project | 2 Drupal, Restful Web Services | 2021-11-10 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors. | |||||
| CVE-2021-24674 | 1 Genie Wp Favicon Project | 1 Genie Wp Favicon | 2021-11-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Genie WP Favicon WordPress plugin through 0.5.2 does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack | |||||
| CVE-2017-7852 | 2 D-link, Dlink | 52 Dcs-2132l, Dcs-2132l Firmware, Dcs-2136l and 49 more | 2021-11-09 | 6.8 MEDIUM | 8.8 HIGH |
| D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1. | |||||
| CVE-2021-24806 | 1 Gvectors | 1 Wpdiscuz | 2021-11-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment. | |||||
| CVE-2021-24809 | 1 Wordplus | 1 Better Messages | 2021-11-09 | 6.8 MEDIUM | 8.8 HIGH |
| The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions | |||||