Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46252 | 1 Scratch-wiki | 1 Scratch Confirmaccount V3 | 2022-02-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses. | |||||
| CVE-2022-25242 | 1 Filecloud | 1 Filecloud | 2022-02-23 | 5.1 MEDIUM | 8.8 HIGH |
| In FileCloud before 21.3, file upload is not protected against Cross-Site Request Forgery (CSRF). | |||||
| CVE-2022-25241 | 1 Filecloud | 1 Filecloud | 2022-02-23 | 5.1 MEDIUM | 8.8 HIGH |
| In FileCloud before 21.3, the CSV user import functionality is vulnerable to Cross-Site Request Forgery (CSRF). | |||||
| CVE-2019-5318 | 2 Arubanetworks, Siemens | 3 Arubaos, Scalance W1750d, Scalance W1750d Firmware | 2022-02-22 | 7.1 HIGH | 6.5 MEDIUM |
| A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS that address this security vulnerability. | |||||
| CVE-2020-15660 | 1 Mozilla | 1 Geckodriver | 2022-02-22 | 6.8 MEDIUM | 8.8 HIGH |
| Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution. | |||||
| CVE-2021-24446 | 1 Wpchill | 1 Remove Footer Credit | 2022-02-19 | 6.0 MEDIUM | 5.4 MEDIUM |
| The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation | |||||
| CVE-2022-23384 | 1 Yzmcms | 1 Yzmcms | 2022-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add | |||||
| CVE-2020-13674 | 1 Drupal | 1 Drupal | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. | |||||
| CVE-2021-22954 | 1 Concretecms | 1 Concrete Cms | 2022-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | |||||
| CVE-2022-0505 | 1 Microweber | 1 Microweber | 2022-02-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-45326 | 1 Gitea | 1 Gitea | 2022-02-11 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests. | |||||
| CVE-2021-37725 | 2 Arubanetworks, Siemens | 4 Arubaos, Sd-wan, Scalance W1750d and 1 more | 2022-02-11 | 8.8 HIGH | 8.1 HIGH |
| A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.8.0.1, 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability. | |||||
| CVE-2021-24843 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. | |||||
| CVE-2021-20636 | 1 Logitech | 2 Lan-w300n\/pr5b, Lan-w300n\/pr5b Firmware | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/PR5B allows remote attackers to hijack the authentication of administrators via a specially crafted URL. As a result, unintended operations to the device such as changes of the device settings may be conducted. | |||||
| CVE-2021-20641 | 1 Logitech | 2 Lan-w300n\/rs, Lan-w300n\/rs Firmware | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/RS allows remote attackers to hijack the authentication of administrators via a specially crafted URL. As a result, unintended operations to the device such as changes of the device settings may be conducted. | |||||
| CVE-2021-32732 | 1 Xwiki | 1 Xwiki | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org) | |||||
| CVE-2021-24879 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it. | |||||
| CVE-2021-39044 | 1 Ibm | 1 Financial Transaction Manager | 2022-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 214210. | |||||
| CVE-2022-23601 | 1 Sensiolabs | 1 Symfony | 2022-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2021-25072 | 1 Nextscripts | 1 Social Networks Auto Poster | 2022-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack | |||||