Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1010054 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 6.8 MEDIUM | 8.8 HIGH |
| Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls. | |||||
| CVE-2022-35613 | 1 Konker | 1 Konker Platform | 2022-11-17 | N/A | 8.8 HIGH |
| Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF). | |||||
| CVE-2022-43323 | 1 Eyoucms | 1 Eyoucms | 2022-11-16 | N/A | 8.8 HIGH |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module. | |||||
| CVE-2022-44387 | 1 Eyoucms | 1 Eyoucms | 2022-11-16 | N/A | 8.8 HIGH |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module. | |||||
| CVE-2022-44389 | 1 Eyoucms | 1 Eyoucms | 2022-11-16 | N/A | 6.5 MEDIUM |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information. | |||||
| CVE-2022-3632 | 1 Digitialpixies | 1 Oauth Client | 2022-11-16 | N/A | 6.5 MEDIUM |
| The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. | |||||
| CVE-2022-2449 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2022-11-16 | N/A | 6.5 MEDIUM |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. | |||||
| CVE-2020-25015 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2022-11-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. | |||||
| CVE-2020-24373 | 1 Free | 10 Freebox Delta, Freebox Delta Firmware, Freebox Mini and 7 more | 2022-11-16 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2022-45130 | 1 Plesk | 1 Obsidian | 2022-11-15 | N/A | 6.5 MEDIUM |
| Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers. | |||||
| CVE-2014-4717 | 1 Sharethis | 1 Simple Share Buttons Adder | 2022-11-15 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Simple Share Buttons Adder plugin before 4.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ssba_share_text parameter in a save action to wp-admin/options-general.php, which is not properly handled in the homepage, and unspecified vectors related to (2) Pages, (3) Posts, (4) Category/Archive pages or (5) post Excerpts. | |||||
| CVE-2021-36886 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2022-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9). | |||||
| CVE-2022-43031 | 1 Dedecms | 1 Dedecms | 2022-11-10 | N/A | 8.8 HIGH |
| DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords. | |||||
| CVE-2022-3536 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2022-11-10 | N/A | 8.8 HIGH |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog | |||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2022-11-09 | 3.5 LOW | 5.4 MEDIUM |
| The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters | |||||
| CVE-2021-24642 | 1 Scroll Banner Project | 1 Scroll Banner | 2022-11-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE (via a file upload) as well as XSS | |||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2022-11-09 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | |||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2022-11-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. | |||||
| CVE-2021-24683 | 1 Awplife | 1 Weather Effect | 2022-11-09 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24626 | 1 Chameleon Css Project | 1 Chameleon Css | 2022-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection | |||||