Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20841 | 1 Mattermost | 1 Mattermost Server | 2021-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks. | |||||
| CVE-2021-24173 | 1 Vm Backups Project | 1 Vm Backups | 2021-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24172 | 1 Vm Backups Project | 1 Vm Backups | 2021-04-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . | |||||
| CVE-2014-5217 | 1 Microfocus | 1 Access Manager | 2021-04-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via an fw.SetPassword action. | |||||
| CVE-2021-24166 | 1 Ninjaforms | 1 Ninja Forms | 2021-04-09 | 5.8 MEDIUM | 5.4 MEDIUM |
| The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | |||||
| CVE-2021-24161 | 1 Expresstech | 1 Responsive Menu | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site. | |||||
| CVE-2021-24162 | 1 Expresstech | 1 Responsive Menu | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site. | |||||
| CVE-2021-20687 | 1 Daifukuya | 1 Kagemai | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Kagemai 0.8.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2021-29660 | 1 Softing | 1 Opc Toolbox | 2021-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker. | |||||
| CVE-2021-22202 | 1 Gitlab | 1 Gitlab | 2021-04-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. | |||||
| CVE-2021-29349 | 1 Mahara | 1 Mahara | 2021-04-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox. | |||||
| CVE-2017-7571 | 1 Ladybirdweb | 1 Faveo Helpdesk | 2021-04-01 | 6.0 MEDIUM | 8.0 HIGH |
| public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges. | |||||
| CVE-2020-19639 | 1 Insma | 2 Wifi Mini Spy 1080p Hd Security Ip Camera, Wifi Mini Spy 1080p Hd Security Ip Camera Firmware | 2021-04-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B, via all fields to WebUI. | |||||
| CVE-2020-36283 | 1 Hidglobal | 4 Omnikey 5127, Omnikey 5127 Firmware, Omnikey 5427 and 1 more | 2021-03-26 | 6.8 MEDIUM | 8.8 HIGH |
| HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. | |||||
| CVE-2021-24133 | 1 Activecampaign | 1 Activecampaign | 2021-03-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. | |||||
| CVE-2021-26216 | 1 Seeddms | 1 Seeddms | 2021-03-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php. | |||||
| CVE-2021-26215 | 1 Seeddms | 1 Seeddms | 2021-03-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php. | |||||
| CVE-2020-24983 | 1 Quadbase | 1 Espressreports Es | 2021-03-19 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will utilise the target admin session and perform the authenticated request (to change the Dashboard name) as if the victim had done so themselves, aka CSRF. | |||||
| CVE-2020-24984 | 1 Quadbase | 1 Espressreports Es | 2021-03-18 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Quadbase EspressReports ES 7 Update 9. It allows CSRF, whereby an attacker may be able to trick an authenticated admin level user into uploading malicious files to the web server. | |||||
| CVE-2020-29553 | 1 Getgrav | 1 Grav Cms | 2021-03-18 | 5.1 MEDIUM | 8.8 HIGH |
| The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF). | |||||