Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-34636 | 1 Wpdevart | 1 Countdown And Countup\, Woocommerce Sales Timer | 2024-11-21 | 8.8 High |
| The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7. | ||||
| CVE-2021-34634 | 1 Sola-newsletters Project | 1 Sola-newsletters | 2024-11-21 | 8.8 High |
| The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23. | ||||
| CVE-2021-34633 | 1 Youtube Feeder Project | 1 Youtube Feeder | 2024-11-21 | 8.8 High |
| The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1. | ||||
| CVE-2021-34632 | 1 Seo Backlinks Project | 1 Seo Backlinks | 2024-11-21 | 8.8 High |
| The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1. | ||||
| CVE-2021-34631 | 1 Ipdgroup | 1 Newsplugin | 2024-11-21 | 8.8 High |
| The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18. | ||||
| CVE-2021-34628 | 1 Weblizar | 1 Admin Custom Login | 2024-11-21 | 8.8 High |
| The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7. | ||||
| CVE-2021-34620 | 1 Fluentforms | 1 Contact Form | 2024-11-21 | 8.8 High |
| The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions | ||||
| CVE-2021-34619 | 1 Storeapps | 1 Stock Manager For Woocommerce | 2024-11-21 | 8.8 High |
| The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. | ||||
| CVE-2021-34547 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | 4.3 Medium |
| PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation. | ||||
| CVE-2021-34360 | 1 Qnap | 4 Nas Proxy Server, Qts, Quts Hero and 1 more | 2024-11-21 | 5.3 Medium |
| A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later | ||||
| CVE-2021-34358 | 1 Qnap | 2 Nas, Qmailagent | 2024-11-21 | 6.8 Medium |
| We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later | ||||
| CVE-2021-34244 | 1 Icehrm | 1 Icehrm | 2024-11-21 | 8.8 High |
| A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords. | ||||
| CVE-2021-34086 | 1 Ultimaker | 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more | 2024-11-21 | 8.8 High |
| In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests. | ||||
| CVE-2021-33338 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-11-21 | 7.5 High |
| The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | ||||
| CVE-2021-32991 | 1 Deltaww | 1 Diaenergie | 2024-11-21 | 4.3 Medium |
| Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. | ||||
| CVE-2021-32929 | 1 Uffizio | 1 Gps Tracker | 2024-11-21 | 4.3 Medium |
| All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user. | ||||
| CVE-2021-32776 | 1 Combodo | 1 Itop | 2024-11-21 | 6.8 Medium |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0. | ||||
| CVE-2021-32774 | 1 Miraheze | 1 Datadump | 2024-11-21 | 6.1 Medium |
| DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump. | ||||
| CVE-2021-32732 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 7.5 High |
| ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org) | ||||
| CVE-2021-32730 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 5.7 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. The problem has been patched in XWiki 12.10.5 and 13.2RC1. As a workaround, it is possible to apply the patch manually by modifying the `register_macros.vm` template. | ||||