Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18513 | 1 Expresstech | 1 Responsive Menu | 2021-07-30 | 6.8 MEDIUM | 8.8 HIGH |
| The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface. | |||||
| CVE-2021-32776 | 1 Combodo | 1 Itop | 2021-07-30 | 6.8 MEDIUM | 8.8 HIGH |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0. | |||||
| CVE-2016-1228 | 2 Ntt-east, Ntt-west | 12 Pr-400mi, Pr-400mi Firmware, Rt-400mi and 9 more | 2021-07-30 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability on NTT EAST Hikari Denwa routers with firmware PR-400MI, RT-400MI, and RV-440MI 07.00.1006 and earlier and NTT WEST Hikari Denwa routers with firmware PR-400MI, RT-400MI, and RV-440MI 07.00.1005 and earlier allows remote attackers to hijack the authentication of arbitrary users. | |||||
| CVE-2021-21407 | 1 Combodo | 1 Itop | 2021-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0. | |||||
| CVE-2021-34619 | 1 Storeapps | 1 Woocommerce Stock Manager | 2021-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. | |||||
| CVE-2021-32774 | 1 Miraheze | 1 Datadump | 2021-07-28 | 5.8 MEDIUM | 5.4 MEDIUM |
| DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump. | |||||
| CVE-2018-20816 | 1 Salesagility | 1 Suitecrm | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed. | |||||
| CVE-2019-18376 | 1 Symantec | 1 Management Center | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC. | |||||
| CVE-2020-8830 | 1 Commscope | 2 Ruckus Zoneflex R500, Ruckus Zoneflex R500 Firmware | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen. | |||||
| CVE-2020-27997 | 1 Smartstore | 1 Smartstorenet | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account). | |||||
| CVE-2020-24570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link. | |||||
| CVE-2020-1103 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF).When users are simultaneously logged in to Microsoft SharePoint Server and visit a malicious web page, the attacker can, through standard browser functionality, induce the browser to invoke search queries as the logged in user, aka 'Microsoft SharePoint Information Disclosure Vulnerability'. | |||||
| CVE-2020-23631 | 1 Wdja | 1 Wdja Cms | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter. | |||||
| CVE-2020-35944 | 1 Pagelayer | 1 Pagelayer | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS. | |||||
| CVE-2020-5745 | 1 Tecnick | 1 Tcexam | 2021-07-21 | 4.3 MEDIUM | 7.4 HIGH |
| Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||||
| CVE-2020-35677 | 1 Bigprof | 1 Online Invoicing System | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection. | |||||
| CVE-2020-35942 | 1 Imagely | 1 Nextgen Gallery | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.) | |||||
| CVE-2020-15516 | 1 Mm Forum Project | 1 Mm Forum | 2021-07-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | |||||
| CVE-2020-15400 | 1 Cakefoundation | 1 Cakephp | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | |||||
| CVE-2020-8465 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root. | |||||