Total
8114 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-45785 | 1 Trudesk Project | 1 Trudesk | 2024-11-21 | 6.5 Medium |
| TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage. | ||||
| CVE-2021-45326 | 1 Gitea | 1 Gitea | 2024-11-21 | 8.8 High |
| Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests. | ||||
| CVE-2021-45268 | 1 Backdropcms | 1 Backdrop | 2024-11-21 | 8.8 High |
| A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons | ||||
| CVE-2021-45017 | 1 Catfish-cms | 1 Catfish Cms | 2024-11-21 | 8.8 High |
| Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add Menu column. | ||||
| CVE-2021-45007 | 1 Plesk | 1 Plesk | 2024-11-21 | 6.5 Medium |
| Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users | ||||
| CVE-2021-44942 | 1 Glfusion | 1 Glfusion | 2024-11-21 | 4.3 Medium |
| glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist. | ||||
| CVE-2021-44321 | 1 Mini-inventory-and-sales-management-system Project | 1 Mini-inventory-and-sales-management-system | 2024-11-21 | 5.0 Medium |
| Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items. | ||||
| CVE-2021-44312 | 1 Firmware Analysis And Comparison Tool Project | 1 Firmware Analysis And Comparison Tool | 2024-11-21 | 8.8 High |
| An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page. | ||||
| CVE-2021-44227 | 3 Debian, Gnu, Redhat | 5 Debian Linux, Mailman, Enterprise Linux and 2 more | 2024-11-21 | 8.8 High |
| In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. | ||||
| CVE-2021-44122 | 1 Spip | 1 Spip | 2024-11-21 | 8.8 High |
| SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF). | ||||
| CVE-2021-44117 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 8.8 High |
| A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4. | ||||
| CVE-2021-44036 | 1 Teampasswordmanager | 1 Team Password Manager | 2024-11-21 | 8.8 High |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 has a CSRF vulnerability during import. | ||||
| CVE-2021-43953 | 1 Atlassian | 2 Data Center, Jira | 2024-11-21 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | ||||
| CVE-2021-43952 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0. | ||||
| CVE-2021-43941 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 6.5 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | ||||
| CVE-2021-43846 | 1 Nebulab | 1 Solidus | 2024-11-21 | 5.3 Medium |
| `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory. | ||||
| CVE-2021-43777 | 1 Redash | 1 Redash | 2024-11-21 | 6.8 Medium |
| Redash is a package for data visualization and sharing. In Redash version 10.0 and prior, the implementation of Google Login (via OAuth) incorrectly uses the `state` parameter to pass the next URL to redirect the user to after login. The `state` parameter should be used for a Cross-Site Request Forgery (CSRF) token, not a static and easily predicted value. This vulnerability does not affect users who do not use Google Login for their instance of Redash. A patch in the `master` and `release/10.x.x` branches addresses this by replacing `Flask-Oauthlib` with `Authlib` which automatically provides and validates a CSRF token for the state variable. The new implementation stores the next URL on the user session object. As a workaround, one may disable Google Login to mitigate the vulnerability. | ||||
| CVE-2021-43738 | 1 Xiaohuanxiong Cms Project | 1 Xiaohuanxiong Cms | 2024-11-21 | 8.8 High |
| An issue was discovered in xiaohuanxiong CMS 5.0.17. There is a CSRF vulnerability that can that can add the administrator account. | ||||
| CVE-2021-43737 | 1 Xiaohuanxiong Project | 1 Xiaohuanxiong Cms | 2024-11-21 | 6.5 Medium |
| An issus was discovered in xiaohuanxiong CMS 5.0.17. There is a CSRF vulnerability that can modify administrator account's password. | ||||
| CVE-2021-43559 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2024-11-21 | 8.8 High |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. | ||||