Vulnerabilities (CVE)

Filtered by CWE-352
Total 8134 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-24218 1 Facebook 1 Facebook 2024-11-21 6.8 MEDIUM 8.8 HIGH
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
CVE-2021-24179 1 Strategy11 1 Business Directory Plugin - Easy Listing Directories 2024-11-21 6.8 MEDIUM 8.8 HIGH
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE.
CVE-2021-24178 1 Strategy11 1 Business Directory Plugin - Easy Listing Directories 2024-11-21 6.8 MEDIUM 8.8 HIGH
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.
CVE-2021-24174 1 Database-backups Project 1 Database-backups 2024-11-21 5.8 MEDIUM 8.1 HIGH
The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.
CVE-2021-24173 1 Vm Backups Project 1 Vm Backups 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue.
CVE-2021-24172 1 Vm Backups Project 1 Vm Backups 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current .
CVE-2021-24166 1 Ninjaforms 1 Ninja Forms 2024-11-21 5.8 MEDIUM 5.4 MEDIUM
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
CVE-2021-24162 1 Expresstech 1 Responsive Menu 2024-11-21 6.8 MEDIUM 8.8 HIGH
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site.
CVE-2021-24161 1 Expresstech 1 Responsive Menu 2024-11-21 6.8 MEDIUM 8.8 HIGH
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site.
CVE-2021-24159 1 Rocklobster 1 Contact Form 7 2024-11-21 6.8 MEDIUM 8.8 HIGH
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.
CVE-2021-24133 1 Activecampaign 1 Activecampaign 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
CVE-2021-23849 1 Bosch 14 Aviotec, Aviotec Firmware, Cpp13 and 11 more 2024-11-21 6.8 MEDIUM 7.5 HIGH
A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or opening a malicious website while being logged in into the camera.
CVE-2021-23431 1 Joplinapp 1 Joplin 2024-11-21 6.8 MEDIUM 5.4 MEDIUM
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
CVE-2021-23404 1 Sqlite-web Project 1 Sqlite-web 2024-11-21 6.8 MEDIUM 7.6 HIGH
This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack.
CVE-2021-23227 1 Php Everywhere Project 1 Php Everywhere 2024-11-21 6.8 MEDIUM 5.4 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions.
CVE-2021-23163 1 Jfrog 1 Artifactory 2024-11-21 6.8 MEDIUM 3.1 LOW
JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.33.6 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x.
CVE-2021-23026 1 F5 15 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 12 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-22954 1 Concretecms 1 Concrete Cms 2024-11-21 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users.
CVE-2021-22953 1 Concretecms 1 Concrete Cms 2024-11-21 5.8 MEDIUM 5.4 MEDIUM
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"
CVE-2021-22950 1 Concretecms 1 Concrete Cms 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"