Total
8869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30694 | 1 Siemens | 223 6ag1151-8ab01-7ab0, 6ag1151-8ab01-7ab0 Firmware, 6ag1151-8fb01-2ab0 and 220 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| The login endpoint /FormLogin in affected web services does not apply proper origin checking. This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack. | |||||
| CVE-2022-30544 | 1 Hyumika | 1 Openstreetmap | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in MiKa's OSM – OpenStreetMap plugin <= 6.0.1 versions. | |||||
| CVE-2022-30337 | 1 Joomunited | 1 Wp Meta Seo | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings. | |||||
| CVE-2022-30328 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The username and password setup for the web interface does not require entering the existing password. A malicious user can change the username and password of the interface. | |||||
| CVE-2022-30327 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The web interface is vulnerable to CSRF. An attacker can change the pre-shared key of the Wi-Fi router if the interface's IP address is known. | |||||
| CVE-2022-30280 | 1 Nokia | 1 Netact | 2024-11-21 | N/A | 8.8 HIGH |
| /SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. | |||||
| CVE-2022-30014 | 1 Simple Food Website Project | 1 Simple Food Website | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. | |||||
| CVE-2022-2986 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 8.8 HIGH |
| Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. | |||||
| CVE-2022-2839 | 1 Zephyr-one | 1 Zephyr Project Manager | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. | |||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
| CVE-2022-2657 | 1 Wc-marketplace | 1 Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF | |||||
| CVE-2022-2555 | 1 Yotpo Reviews For Woocommerce Project | 1 Yotpo Reviews For Woocommerce | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2022-2432 | 1 Lightspeedhq | 1 Ecwid Ecommerce Shopping Cart | 2024-11-21 | N/A | 8.8 HIGH |
| The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.10.23. This is due to missing or incorrect nonce validation on the ecwid_update_plugin_params function. This makes it possible for unauthenticated attackers to update plugin options granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-2389 | 1 Funnelkit | 1 Funnelkit Automations | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations | |||||
| CVE-2022-2388 | 1 Wow-company | 1 Wp Coder | 2024-11-21 | N/A | 6.5 MEDIUM |
| The WP Coder WordPress plugin before 2.5.3 does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack | |||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | |||||
| CVE-2022-2381 | 1 E Unlocked - Student Result Project | 1 E Unlocked - Student Result | 2024-11-21 | N/A | 8.8 HIGH |
| The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack | |||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | |||||
| CVE-2022-2375 | 1 Okapitech | 1 Wp Sticky Button | 2024-11-21 | N/A | 5.4 MEDIUM |
| The WP Sticky Button WordPress plugin before 1.4.1 does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2022-2353 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. | |||||