Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37201 | 1 Siemens | 1 Sinec Network Management System | 2021-09-24 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This could allow an attacker to manipulate the SINEC NMS configuration by tricking an unsuspecting user with administrative privileges to click on a malicious link. | |||||
| CVE-2020-21081 | 1 Maccms | 1 Maccms | 2021-09-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL. | |||||
| CVE-2020-21126 | 1 Metinfo | 1 Metinfo | 2021-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo. | |||||
| CVE-2021-24725 | 1 Quantumcloud | 1 Comment Link Remove And Other Comment Tools | 2021-09-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments | |||||
| CVE-2021-24491 | 1 Fileviewer Project | 1 Fileviewer | 2021-09-23 | 6.8 MEDIUM | 8.8 HIGH |
| The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack | |||||
| CVE-2021-24490 | 1 Email Artillery Project | 1 Email Artillery | 2021-09-23 | 6.0 MEDIUM | 6.8 MEDIUM |
| The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS | |||||
| CVE-2020-19280 | 1 Jeesns | 1 Jeesns | 2021-09-22 | 6.8 MEDIUM | 8.8 HIGH |
| Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations. | |||||
| CVE-2020-19268 | 1 Dswjcms Project | 1 Dswjcms | 2021-09-22 | 3.5 LOW | 5.7 MEDIUM |
| A cross-site request forgery (CSRF) in index.php/Dswjcms/User/tfAdd of Dswjcms 1.6.4 allows authenticated attackers to arbitrarily add administrator users. | |||||
| CVE-2021-24477 | 1 Migrate Users Project | 1 Migrate Users | 2021-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-38721 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-09-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability | |||||
| CVE-2020-19263 | 1 Mipcms | 1 Mipcms | 2021-09-20 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily escalate user privileges to administrator via index.php?s=/user/ApiAdminUser/itemEdit. | |||||
| CVE-2020-19264 | 1 Mipcms | 1 Mipcms | 2021-09-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd. | |||||
| CVE-2021-39197 | 1 Better Errors Project | 1 Better Errors | 2021-09-14 | 6.8 MEDIUM | 8.8 HIGH |
| better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors. | |||||
| CVE-2021-23404 | 1 Sqlite-web Project | 1 Sqlite-web | 2021-09-14 | 6.8 MEDIUM | 8.8 HIGH |
| This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | |||||
| CVE-2017-5169 | 1 Hanwha-security | 1 Smart Security Manager | 2021-09-13 | 5.1 MEDIUM | 7.5 HIGH |
| An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By issuing specific HTTP Post requests, an attacker can gain system level access to a remote shell session. Smart Security Manager Versions 1.5 and prior are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution. | |||||
| CVE-2021-24611 | 1 Keyword Meta Project | 1 Keyword Meta | 2021-09-13 | 3.5 LOW | 5.4 MEDIUM |
| The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack. | |||||
| CVE-2017-9489 | 2 Cisco, Commscope | 4 Dpc3939b, Dpc3939b Firmware, Arris Tg1682g and 1 more | 2021-09-13 | 6.8 MEDIUM | 8.8 HIGH |
| The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST) devices allows configuration changes via CSRF. | |||||
| CVE-2021-38705 | 1 Cliniccases | 1 Cliniccases | 2021-09-10 | 6.8 MEDIUM | 8.8 HIGH |
| ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). A successful attack would consist of an authenticated user following a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. This can be exploited to create a secondary administrator account for the attacker. | |||||
| CVE-2017-2244 | 1 Brother | 2 Mfc-j960dwn, Mfc-j960dwn Firmware | 2021-09-10 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in MFC-J960DWN firmware ver.D and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2018-7746 | 1 Cobub | 1 Razor | 2021-09-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin. | |||||