Total
9184 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34634 | 1 Sola-newsletters Project | 1 Sola-newsletters | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23. | |||||
| CVE-2021-34633 | 1 Youtube Feeder Project | 1 Youtube Feeder | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1. | |||||
| CVE-2021-34632 | 1 Seo Backlinks Project | 1 Seo Backlinks | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1. | |||||
| CVE-2021-34631 | 1 Ipdgroup | 1 Newsplugin | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18. | |||||
| CVE-2021-34628 | 1 Weblizar | 1 Admin Custom Login | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7. | |||||
| CVE-2021-34620 | 1 Fluentforms | 1 Contact Form | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions | |||||
| CVE-2021-34619 | 1 Storeapps | 1 Stock Manager For Woocommerce | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. | |||||
| CVE-2021-34547 | 1 Paessler | 1 Prtg Network Monitor | 2026-06-17 | 4.3 MEDIUM | 4.3 MEDIUM |
| PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation. | |||||
| CVE-2021-34360 | 1 Qnap | 4 Nas Proxy Server, Qts, Quts Hero and 1 more | 2026-06-17 | 6.8 MEDIUM | 5.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2021-34358 | 1 Qnap | 2 Nas, Qmailagent | 2026-06-17 | 6.8 MEDIUM | 6.8 MEDIUM |
| We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later | |||||
| CVE-2021-34244 | 1 Icehrm | 1 Icehrm | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords. | |||||
| CVE-2021-34167 | 1 Taogogo | 1 Taocms | 2026-06-17 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php. | |||||
| CVE-2021-34086 | 1 Ultimaker | 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests. | |||||
| CVE-2021-33396 | 1 Baijiacms Project | 1 Baijiacms | 2026-06-17 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php. | |||||
| CVE-2021-33338 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-06-17 | 5.1 MEDIUM | 7.5 HIGH |
| The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | |||||
| CVE-2021-32991 | 1 Deltaww | 1 Diaenergie | 2026-06-17 | 4.3 MEDIUM | 4.3 MEDIUM |
| Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. | |||||
| CVE-2021-32929 | 1 Uffizio | 1 Gps Tracker | 2026-06-17 | 6.8 MEDIUM | 4.3 MEDIUM |
| All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user. | |||||
| CVE-2021-32776 | 1 Combodo | 1 Itop | 2026-06-17 | 6.8 MEDIUM | 6.8 MEDIUM |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0. | |||||
| CVE-2021-32774 | 1 Miraheze | 1 Datadump | 2026-06-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump. | |||||
| CVE-2021-32732 | 1 Xwiki | 1 Xwiki | 2026-06-17 | 4.3 MEDIUM | 7.5 HIGH |
| ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org) | |||||
