Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24218 | 1 Facebook | 1 Facebook | 2021-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. | |||||
| CVE-2007-5594 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-19 | 4.3 MEDIUM | N/A |
| Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. | |||||
| CVE-2021-29435 | 1 Trestle-auth Project | 1 Trestle-auth | 2021-04-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials. The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems. | |||||
| CVE-2008-3221 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-15 | 4.3 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. | |||||
| CVE-2008-3220 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-15 | 4.3 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." | |||||
| CVE-2021-30112 | 1 Web-school | 1 Enterprise Resource Planning | 2021-04-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege. | |||||
| CVE-2021-30114 | 1 Web-school | 1 Enterprise Resource Planning | 2021-04-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege. | |||||
| CVE-2021-30147 | 1 Dmasoftlab | 1 Radius Manager | 2021-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php. | |||||
| CVE-2014-8246 | 1 Broadcom | 1 Release Automation | 2021-04-12 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in CA Release Automation (formerly iTKO LISA Release Automation) before 4.7.1 b448 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2019-20841 | 1 Mattermost | 1 Mattermost Server | 2021-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks. | |||||
| CVE-2021-24173 | 1 Vm Backups Project | 1 Vm Backups | 2021-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24172 | 1 Vm Backups Project | 1 Vm Backups | 2021-04-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . | |||||
| CVE-2014-5217 | 1 Microfocus | 1 Access Manager | 2021-04-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via an fw.SetPassword action. | |||||
| CVE-2021-24166 | 1 Ninjaforms | 1 Ninja Forms | 2021-04-09 | 5.8 MEDIUM | 5.4 MEDIUM |
| The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | |||||
| CVE-2021-24161 | 1 Expresstech | 1 Responsive Menu | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site. | |||||
| CVE-2021-24162 | 1 Expresstech | 1 Responsive Menu | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site. | |||||
| CVE-2021-20687 | 1 Daifukuya | 1 Kagemai | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Kagemai 0.8.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2021-29660 | 1 Softing | 1 Opc Toolbox | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker. | |||||
| CVE-2021-22202 | 1 Gitlab | 1 Gitlab | 2021-04-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. | |||||
| CVE-2021-29349 | 1 Mahara | 1 Mahara | 2021-04-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox. | |||||