Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-44321 | 1 Mini-inventory-and-sales-management-system Project | 1 Mini-inventory-and-sales-management-system | 2024-11-21 | 5.0 Medium |
| Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items. | ||||
| CVE-2021-44312 | 1 Firmware Analysis And Comparison Tool Project | 1 Firmware Analysis And Comparison Tool | 2024-11-21 | 8.8 High |
| An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page. | ||||
| CVE-2021-44227 | 3 Debian, Gnu, Redhat | 5 Debian Linux, Mailman, Enterprise Linux and 2 more | 2024-11-21 | 8.8 High |
| In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. | ||||
| CVE-2021-44122 | 1 Spip | 1 Spip | 2024-11-21 | 8.8 High |
| SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF). | ||||
| CVE-2021-44117 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 8.8 High |
| A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4. | ||||
| CVE-2021-44036 | 1 Teampasswordmanager | 1 Team Password Manager | 2024-11-21 | 8.8 High |
| Team Password Manager (aka TeamPasswordManager) before 10.135.236 has a CSRF vulnerability during import. | ||||
| CVE-2021-43953 | 1 Atlassian | 2 Data Center, Jira | 2024-11-21 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | ||||
| CVE-2021-43952 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0. | ||||
| CVE-2021-43941 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 6.5 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | ||||
| CVE-2021-43937 | 1 Smartptt | 1 Scada Server | 2024-11-21 | 7.6 High |
| Elcomplus SmartPTT SCADA Server web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | ||||
| CVE-2021-43846 | 1 Nebulab | 1 Solidus | 2024-11-21 | 5.3 Medium |
| `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory. | ||||
| CVE-2021-43777 | 1 Redash | 1 Redash | 2024-11-21 | 6.8 Medium |
| Redash is a package for data visualization and sharing. In Redash version 10.0 and prior, the implementation of Google Login (via OAuth) incorrectly uses the `state` parameter to pass the next URL to redirect the user to after login. The `state` parameter should be used for a Cross-Site Request Forgery (CSRF) token, not a static and easily predicted value. This vulnerability does not affect users who do not use Google Login for their instance of Redash. A patch in the `master` and `release/10.x.x` branches addresses this by replacing `Flask-Oauthlib` with `Authlib` which automatically provides and validates a CSRF token for the state variable. The new implementation stores the next URL on the user session object. As a workaround, one may disable Google Login to mitigate the vulnerability. | ||||
| CVE-2021-43738 | 1 Xiaohuanxiong Cms Project | 1 Xiaohuanxiong Cms | 2024-11-21 | 8.8 High |
| An issue was discovered in xiaohuanxiong CMS 5.0.17. There is a CSRF vulnerability that can that can add the administrator account. | ||||
| CVE-2021-43737 | 1 Xiaohuanxiong Project | 1 Xiaohuanxiong Cms | 2024-11-21 | 6.5 Medium |
| An issus was discovered in xiaohuanxiong CMS 5.0.17. There is a CSRF vulnerability that can modify administrator account's password. | ||||
| CVE-2021-43559 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2024-11-21 | 8.8 High |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. | ||||
| CVE-2021-43158 | 1 Projectworlds | 1 Online Shopping System In Php | 2024-11-21 | 4.3 Medium |
| In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart. | ||||
| CVE-2021-43156 | 1 Projectworlds | 1 Online Book Store Project In Php | 2024-11-21 | 6.5 Medium |
| In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book. | ||||
| CVE-2021-43137 | 1 Phpgurukul | 1 Hostel Management System | 2024-11-21 | 8.8 High |
| Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover. | ||||
| CVE-2021-42228 | 1 Kindsoft | 1 Kindeditor | 2024-11-21 | 8.8 High |
| A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html. | ||||
| CVE-2021-42097 | 3 Debian, Gnu, Redhat | 4 Debian Linux, Mailman, Enterprise Linux and 1 more | 2024-11-21 | 8.0 High |
| GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). | ||||