Vulnerabilities (CVE)

Filtered by CWE-352
Total 9186 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-47860 1 Get-simple 1 Getsimplecms 2026-06-17 N/A 5.3 MEDIUM
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.
CVE-2021-47830 1 Get-simple 1 Getsimplecms 2026-06-17 N/A 6.5 MEDIUM
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.
CVE-2021-47820 2026-06-17 N/A 5.3 MEDIUM
Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent.
CVE-2021-47800 2026-06-17 N/A 5.3 MEDIUM
b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage.
CVE-2021-47754 1 Arunna 1 Arunna 2026-06-17 N/A 6.5 MEDIUM
Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form.
CVE-2021-47730 1 Selea 23 Carplateserver, Izero Box Full, Izero Box Full Firmware and 20 more 2026-06-17 N/A 8.8 HIGH
Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page.
CVE-2021-47723 1 Stvs 1 Provision 2026-06-17 N/A 8.8 HIGH
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.
CVE-2021-47722 2026-06-17 N/A 3.5 LOW
Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page.
CVE-2021-47702 1 Openbmcs 1 Openbmcs 2026-06-17 N/A 4.3 MEDIUM
OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.
CVE-2021-46426 1 Phpipam 1 Phpipam 2026-06-17 4.3 MEDIUM 6.1 MEDIUM
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
CVE-2021-46398 1 Filebrowser 1 Filebrowser 2026-06-17 6.8 MEDIUM 8.8 HIGH
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.
CVE-2021-46366 1 Magnolia-cms 1 Magnolia Cms 2026-06-17 6.8 MEDIUM 8.8 HIGH
An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
CVE-2021-46252 1 Scratch-wiki 1 Scratch Confirmaccount V3 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.
CVE-2021-46147 1 Mediawiki 1 Mediawiki 2026-06-17 6.8 MEDIUM 8.8 HIGH
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
CVE-2021-46080 1 Vehicle Service Management System Project 1 Vehicle Service Management System 2026-06-17 3.5 LOW 4.8 MEDIUM
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
CVE-2021-46028 1 Mblog Project 1 Mblog 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted.
CVE-2021-46027 1 Wangl1989 1 Mysiteforme 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added
CVE-2021-45886 1 Ponton 1 X\/p Messenger 2026-06-17 6.8 MEDIUM 8.8 HIGH
An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) can be used to confirm actions of higher-privileged ones (such as xpadmin).
CVE-2021-45785 1 Trudesk Project 1 Trudesk 2026-06-17 N/A 6.5 MEDIUM
TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage.
CVE-2021-45326 1 Gitea 1 Gitea 2026-06-17 6.8 MEDIUM 8.8 HIGH
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.