Vulnerabilities (CVE)

Filtered by CWE-352
Total 9184 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-36855 1 Bookingultrapro 1 Booking Ultra Pro Appointments Booking Calendar 2026-06-17 N/A 6.1 MEDIUM
Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
CVE-2021-36854 1 Bookingultrapro 1 Booking Ultra Pro Appointments Booking Calendar 2026-06-17 N/A 5.4 MEDIUM
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
CVE-2021-36852 1 Thimpress 1 Wp Hotel Booking 2026-06-17 N/A 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.
CVE-2021-36850 1 Meowapps 1 Media File Renamer - Auto \& Manual Rename 2026-06-17 4.3 MEDIUM 5.4 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state.
CVE-2021-36570 1 Thedaylightstudio 1 Fuel Cms 2026-06-17 N/A 8.8 HIGH
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.
CVE-2021-36569 1 Thedaylightstudio 1 Fuel Cms 2026-06-17 N/A 8.8 HIGH
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.
CVE-2021-36543 1 Seeddms 1 Seeddms 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.UnlockDocument.php in SeedDMS v5.1.x <5.1.23 and v6.0.x <6.0.16 allows a remote attacker to unlock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page.
CVE-2021-36542 1 Seeddms 1 Seeddms 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.LockDocument.php in SeedDMS v5.1.x<5.1.23 and v6.0.x <6.0.16 allows a remote attacker to lock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page.
CVE-2021-36444 1 Txjia 1 Imcat 2026-06-17 N/A 8.8 HIGH
Cross Site Request Forgery (CSRF) vulnerability in imcat 5.4 allows remote attackers to gain escalated privileges via flaws one time token generation on the add administrator page.
CVE-2021-36443 1 Txjia 1 Imcat 2026-06-17 N/A 8.8 HIGH
Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.
CVE-2021-35491 1 Wowza 1 Streaming Engine 2026-06-17 5.8 MEDIUM 8.1 HIGH
A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14.
CVE-2021-35486 1 Nokia 1 Impact Mobile 2026-06-17 N/A 8.1 HIGH
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated.
CVE-2021-35343 1 Seeddms 1 Seeddms 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.Ajax.php in SeedDMS v5.1.x<5.1.23 and v6.0.x<6.0.16 allows a remote attacker to edit document name without victim's knowledge, by enticing an authenticated user to visit an attacker's web page.
CVE-2021-35242 1 Solarwinds 1 Serv-u 2026-06-17 6.8 MEDIUM 8.3 HIGH
Serv-U server responds with valid CSRFToken when the request contains only Session.
CVE-2021-34773 1 Cisco 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. These actions could include modifying the device configuration and deleting (but not creating) user accounts.
CVE-2021-34743 1 Cisco 1 Webex Meetings 2026-06-17 5.8 MEDIUM 4.3 MEDIUM
A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile.
CVE-2021-34661 1 Verygoodplugins 1 Wp Fusion 2026-06-17 4.3 MEDIUM 6.1 MEDIUM
The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.
CVE-2021-34645 1 Wpeasycart 1 Shopping Cart \& Ecommerce Store 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.
CVE-2021-34637 1 Post Index Project 1 Post Index 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.
CVE-2021-34636 1 Wpdevart 1 Countdown And Countup\, Woocommerce Sales Timer 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.