Total
8134 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-24218 | 1 Facebook | 1 Facebook | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. | |||||
CVE-2021-24179 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. | |||||
CVE-2021-24178 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. | |||||
CVE-2021-24174 | 1 Database-backups Project | 1 Database-backups | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. | |||||
CVE-2021-24173 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. | |||||
CVE-2021-24172 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . | |||||
CVE-2021-24166 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | |||||
CVE-2021-24162 | 1 Expresstech | 1 Responsive Menu | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site. | |||||
CVE-2021-24161 | 1 Expresstech | 1 Responsive Menu | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site. | |||||
CVE-2021-24159 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript. | |||||
CVE-2021-24133 | 1 Activecampaign | 1 Activecampaign | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. | |||||
CVE-2021-23849 | 1 Bosch | 14 Aviotec, Aviotec Firmware, Cpp13 and 11 more | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or opening a malicious website while being logged in into the camera. | |||||
CVE-2021-23431 | 1 Joplinapp | 1 Joplin | 2024-11-21 | 6.8 MEDIUM | 5.4 MEDIUM |
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. | |||||
CVE-2021-23404 | 1 Sqlite-web Project | 1 Sqlite-web | 2024-11-21 | 6.8 MEDIUM | 7.6 HIGH |
This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | |||||
CVE-2021-23227 | 1 Php Everywhere Project | 1 Php Everywhere | 2024-11-21 | 6.8 MEDIUM | 5.4 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions. | |||||
CVE-2021-23163 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 6.8 MEDIUM | 3.1 LOW |
JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.33.6 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x. | |||||
CVE-2021-23026 | 1 F5 | 15 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 12 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2021-22954 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | |||||
CVE-2021-22953 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team" | |||||
CVE-2021-22950 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team" |