Total
7852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29624 | 1 Fastify | 1 Fastify-csrf | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. | |||||
| CVE-2021-29436 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password. The vulnerability is fixed in Time Tracker version 1.19.27.5431. Upgrade is recommended. If upgrade is not practical, introduce ttMitigateCSRF() function in /WEB-INF/lib/common.php.lib using the latest available code and call it from ttAccessAllowed(). | |||||
| CVE-2021-29435 | 1 Trestle-auth Project | 1 Trestle-auth | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
| trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials. The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems. | |||||
| CVE-2021-29400 | 1 Netexplorer | 1 My Smtp Contact | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authenticated admin visits a malicious third-party site. | |||||
| CVE-2021-29349 | 1 Mahara | 1 Mahara | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox. | |||||
| CVE-2021-29238 | 1 Codesys | 1 Automation Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CODESYS Automation Server before 1.16.0 allows cross-site request forgery (CSRF). | |||||
| CVE-2021-29054 | 1 Papoo | 1 Papoo | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Certain Papoo products are affected by: Cross Site Request Forgery (CSRF) in the admin interface. This affects Papoo CMS Light through 21.02 and Papoo CMS Pro through 6.0.1. The impact is: gain privileges (remote). | |||||
| CVE-2021-29050 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page. | |||||
| CVE-2021-28490 | 1 Owasp | 1 Csrfguard | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token. | |||||
| CVE-2021-28280 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML | |||||
| CVE-2021-28070 | 1 Popojicms | 1 Popojicms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability exist in PopojiCMS 2.0.1 in po-admin/route.php?mod=user&act=multidelete. | |||||
| CVE-2021-27927 | 1 Zabbix | 1 Zabbix | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. | |||||
| CVE-2021-27885 | 1 E107 | 1 E107 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. | |||||
| CVE-2021-27758 | 1 Hcltech | 1 Bigfix Inventory | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account. | |||||
| CVE-2021-27557 | 1 Easycorp | 1 Zentao | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job. | |||||
| CVE-2021-27181 | 1 Altn | 1 Mdaemon | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the value of the anti-CSRF token, the attacker may trick the user into visiting his malicious page and performing any request with the privileges of attacked user. | |||||
| CVE-2021-26961 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. | |||||
| CVE-2021-26960 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. | |||||
| CVE-2021-26800 | 1 User Management System In Php Stored Procedure Project | 1 User Management System In Php Stored Procedure | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account. | |||||
| CVE-2021-26474 | 1 Vembu | 2 Bdr Suite, Offsite Dr | 2024-11-21 | 6.8 MEDIUM | 8.6 HIGH |
| Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.) | |||||