Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39268 | 1 Orchest | 1 Orchest | 2022-10-04 | N/A | 8.1 HIGH |
| ### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.io | |||||
| CVE-2021-36854 | 1 Bookingultrapro | 1 Booking Ultra Pro Appointments Booking Calendar | 2022-10-04 | N/A | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress. | |||||
| CVE-2021-36855 | 1 Bookingultrapro | 1 Booking Ultra Pro Appointments Booking Calendar | 2022-10-04 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress. | |||||
| CVE-2020-35675 | 1 Bigprof | 1 Online Invoicing System | 2022-10-03 | N/A | 8.8 HIGH |
| BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administrator and effectively taking over the application. | |||||
| CVE-2021-22724 | 1 Schneider-electric | 12 Evb1a, Evb1a Firmware, Evc1s22p4 and 9 more | 2022-09-28 | 6.8 MEDIUM | 8.8 HIGH |
| A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
| CVE-2021-22725 | 1 Schneider-electric | 12 Evb1a, Evb1a Firmware, Evc1s22p4 and 9 more | 2022-09-28 | 6.8 MEDIUM | 8.8 HIGH |
| A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2) | |||||
| CVE-2021-24890 | 1 Dplugins | 1 Scripts Organizer | 2022-09-28 | N/A | 8.8 HIGH |
| The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file | |||||
| CVE-2022-3119 | 1 Oauth Client Single Sign On Project | 1 Oauth Client Single Sign On | 2022-09-28 | N/A | 7.5 HIGH |
| The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address | |||||
| CVE-2022-3025 | 1 Bitcoin\/altcoin Faucet Project | 1 Bitcoin\/altcoin Faucet | 2022-09-28 | N/A | 5.4 MEDIUM |
| The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2022-3098 | 1 Gunkastudios | 1 Login Block Ips | 2022-09-27 | N/A | 4.3 MEDIUM |
| The Login Block IPs WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-38085 | 1 Read More By Adam Project | 1 Read More By Adam | 2022-09-26 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Read more By Adam plugin <= 1.1.8 at WordPress. | |||||
| CVE-2022-40132 | 1 Castos | 1 Seriously Simple Podcasting | 2022-09-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to plugin settings change. | |||||
| CVE-2022-40671 | 1 Blazzdev | 1 Rate My Post - Wp Rating System | 2022-09-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress. | |||||
| CVE-2022-38095 | 1 Algolplus | 1 Advanced Dynamic Pricing For Woocommerce | 2022-09-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.3 at WordPress. | |||||
| CVE-2022-38470 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2022-09-26 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. | |||||
| CVE-2022-36417 | 1 3d Tag Cloud Project | 1 3d Tag Cloud | 2022-09-26 | N/A | 6.1 MEDIUM |
| Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in 3D Tag Cloud plugin <= 3.8 at WordPress. | |||||
| CVE-2022-38704 | 1 Clogica | 1 Seo Redirection | 2022-09-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in SEO Redirection plugin <= 8.9 at WordPress, leading to deletion of 404 errors and redirection history. | |||||
| CVE-2022-38454 | 1 Kraken | 1 Kraken.io Image Optimizer | 2022-09-26 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Kraken.io Image Optimizer plugin <= 2.6.5 at WordPress. | |||||
| CVE-2022-38079 | 1 Backup Scheduler Project | 1 Backup Scheduler | 2022-09-26 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability Backup Scheduler plugin <= 1.5.13 at WordPress. | |||||
| CVE-2022-3274 | 1 Ikus-soft | 1 Rdiffweb | 2022-09-26 | N/A | 3.5 LOW |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.7. | |||||