Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-15849

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-25 Aug, 2018 | 21:00
Updated At-05 Aug, 2024 | 10:01
Rejected At-
Credits

An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:25 Aug, 2018 | 21:00
Updated At:05 Aug, 2024 | 10:01
Rejected At:
▼CVE Numbering Authority (CNA)

An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/Westbrookadmin/portfolioCMS/issues/1
x_refsource_MISC
Hyperlink: https://github.com/Westbrookadmin/portfolioCMS/issues/1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/Westbrookadmin/portfolioCMS/issues/1
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/Westbrookadmin/portfolioCMS/issues/1
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:25 Aug, 2018 | 21:29
Updated At:17 Oct, 2018 | 20:31

An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.04.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
portfoliocms_project
portfoliocms_project
>>portfoliocms>>1.0.5
cpe:2.3:a:portfoliocms_project:portfoliocms:1.0.5:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/Westbrookadmin/portfolioCMS/issues/1cve@mitre.org
Issue Tracking
Third Party Advisory
Hyperlink: https://github.com/Westbrookadmin/portfolioCMS/issues/1
Source: cve@mitre.org
Resource:
Issue Tracking
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

877Records found
CVE-2021-4033
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 37.53%
||
7 Day CHG~0.00%
Published-09 Dec, 2021 | 19:55
Updated-03 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-kimaikevinpapst
Product-kimai_2kevinpapst/kimai2
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-4142
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.94%
||
7 Day CHG~0.00%
Published-18 Jun, 2019 | 14:30
Updated-16 Sep, 2024 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158338.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_privateCloud Private
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-15608
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 29.02%
||
7 Day CHG~0.00%
Published-26 Sep, 2018 | 21:00
Updated-05 Aug, 2024 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change advanced settings.

Action-Not Available
Vendor-inedon/a
Product-progetn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-4049
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.24%
||
7 Day CHG~0.00%
Published-07 Dec, 2021 | 10:40
Updated-03 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-livehelperchatlivehelperchat
Product-live_helper_chatlivehelperchat/livehelperchat
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-4726
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.06%
||
7 Day CHG~0.00%
Published-26 Feb, 2020 | 15:55
Updated-16 Sep, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172363.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3931
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.97%
||
7 Day CHG~0.00%
Published-13 Nov, 2021 | 08:50
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in snipe/snipe-it

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-snipeitappsnipe
Product-snipe-itsnipe/snipe-it
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-38886
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.87%
||
7 Day CHG~0.00%
Published-22 Apr, 2022 | 16:30
Updated-16 Sep, 2024 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399.

Action-Not Available
Vendor-IBM CorporationNetApp, Inc.
Product-cognos_analyticsoncommand_insightCognos Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-38342
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.10% / 27.89%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 18:05
Updated-17 Sep, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nested Pages <= 3.1.15 Cross-Site Request Forgery to Arbitrary Post Deletion and Modification

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.

Action-Not Available
Vendor-kylephillipsKyle Phillips
Product-nested_pagesNested Pages
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-39124
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.64%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 04:20
Updated-10 Oct, 2024 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.

Action-Not Available
Vendor-Atlassian
Product-data_centerjiraJira ServerJira Data Center
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-4515
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.06%
||
7 Day CHG~0.00%
Published-24 Sep, 2019 | 13:50
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 165137.

Action-Not Available
Vendor-IBM Corporation
Product-security_key_lifecycle_managerSecurity Key Lifecycle Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3900
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 35.15%
||
7 Day CHG~0.00%
Published-27 Oct, 2021 | 17:45
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-firefly-iiifirefly-iii
Product-firefly_iiifirefly-iii/firefly-iii
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-4117
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 40.21%
||
7 Day CHG~0.00%
Published-20 Aug, 2019 | 18:25
Updated-17 Sep, 2024 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158116.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_privateCloud Private
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3921
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-13 Nov, 2021 | 08:55
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-firefly-iiifirefly-iii
Product-firefly_iiifirefly-iii/firefly-iii
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-38721
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 41.25%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 14:35
Updated-04 Aug, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability

Action-Not Available
Vendor-thedaylightstudion/a
Product-fuel_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2012-5500
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 56.23%
||
7 Day CHG~0.00%
Published-03 Nov, 2014 | 22:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The batch id change script (renameObjectsByPaths.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to change the titles of content items by leveraging a valid CSRF token in a crafted request.

Action-Not Available
Vendor-n/aPlone Foundation
Product-plonen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3932
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.11% / 30.30%
||
7 Day CHG~0.00%
Published-13 Nov, 2021 | 08:45
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in area17/twill

twill is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-area17area17
Product-twillarea17/twill
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-39243
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.56%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 04:24
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.

Action-Not Available
Vendor-altusn/a
Product-nexto_nx3004nexto_nx3005nexto_nx5101_firmwarenexto_xpress_xp315hadron_xtorm_hx3040_firmwarenexto_nx3003_firmwarenexto_xpress_xp300nexto_nx3010_firmwarenexto_xpress_xp325nexto_nx5100nexto_xpress_xp315_firmwarenexto_xpress_xp325_firmwarenexto_nx3020hadron_xtorm_hx3040nexto_xpress_xp340nexto_nx3030_firmwarenexto_nx5210nexto_nx5110_firmwarenexto_xpress_xp300_firmwarenexto_nx3010nexto_nx3004_firmwarenexto_nx5100_firmwarenexto_xpress_xp340_firmwarenexto_nx3020_firmwarenexto_nx3003nexto_nx5210_firmwarenexto_nx5101nexto_nx3030nexto_nx3005_firmwarenexto_nx5110n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36878
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.80%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 14:12
Updated-28 Mar, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress uListing plugin <= 2.0.5 - Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.

Action-Not Available
Vendor-stylemixthemesStylemixThemes
Product-ulistinguListing (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3730
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.24%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 12:42
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-firefly-iiifirefly-iii
Product-firefly_iiifirefly-iii/firefly-iii
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3728
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.24%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 12:41
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-firefly-iiifirefly-iii
Product-firefly_iiifirefly-iii/firefly-iii
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36877
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.80%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 15:32
Updated-28 Mar, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress uListing plugin <= 2.0.5 - Modify User Roles via Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.

Action-Not Available
Vendor-stylemixthemesStylemixThemes
Product-ulistinguListing (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-3729
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.18%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 12:41
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Action-Not Available
Vendor-firefly-iiifirefly-iii
Product-firefly_iiifirefly-iii/firefly-iii
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36891
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 27.84%
||
7 Day CHG~0.00%
Published-15 Jun, 2022 | 19:16
Updated-20 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Gallery by Supsystic plugin <= 1.15.5 - Cross-Site Request Forgery (CSRF) leading to Plugin Settings Change

Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.

Action-Not Available
Vendor-supsysticSupsystic
Product-photo_galleryPhoto Gallery by Supsystic (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36890
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.84%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 19:30
Updated-20 Feb, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Share Buttons by Supsystic plugin <= 2.2.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.

Action-Not Available
Vendor-supsysticsupsystic.com
Product-social_share_buttonsSocial Share Buttons by Supsystic (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36850
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 28.80%
||
7 Day CHG~0.00%
Published-04 Oct, 2021 | 16:57
Updated-28 Mar, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Media File Renamer – Auto & Manual Rename plugin <= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state.

Action-Not Available
Vendor-meowappsMeow Apps
Product-media_file_renamer_-_auto_\&_manual_renameMedia File Renamer – Auto & Manual Rename (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-4212
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.60%
||
7 Day CHG~0.00%
Published-25 Jul, 2019 | 14:30
Updated-17 Sep, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159132.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerQRadar SIEM
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36914
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 36.63%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 16:11
Updated-20 Feb, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CalderaWP License Manager plugin <= 1.2.11 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS) in CalderaWP License Manager (WordPress plugin) <= 1.2.11.

Action-Not Available
Vendor-claderaformDesertsnowman, Shelob9
Product-calderawp_license_managerCalderaWP License Manager (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-10479
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.74%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 13:05
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSRF in admin/add-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new news article via a crafted request.

Action-Not Available
Vendor-chadhaajayn/a
Product-phpkbn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36542
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.66%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 18:09
Updated-04 Aug, 2024 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.LockDocument.php in SeedDMS v5.1.x<5.1.23 and v6.0.x <6.0.16 allows a remote attacker to lock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2005-3348
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-4.3||MEDIUM
EPSS-1.62% / 81.08%
||
7 Day CHG~0.00%
Published-18 Nov, 2005 | 02:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTTP response splitting vulnerability in index.php in phpSysInfo 2.4 and earlier, as used in phpgroupware 0.9.16 and earlier, and egroupware before 1.0.0.009, allows remote attackers to spoof web content and poison web caches via CRLF sequences in the charset parameter.

Action-Not Available
Vendor-phpsysinfon/a
Product-phpsysinfon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-36543
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.74%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 18:13
Updated-04 Aug, 2024 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.UnlockDocument.php in SeedDMS v5.1.x <5.1.23 and v6.0.x <6.0.16 allows a remote attacker to unlock any document without victim's knowledge, by enticing an authenticated user to visit an attacker's web page.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2012-10010
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.77%
||
7 Day CHG~0.00%
Published-09 Apr, 2023 | 05:31
Updated-06 Aug, 2024 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BestWebSoft Contact Form contact_form.php cntctfrm_settings_page cross-site request forgery

A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.22 is able to address this issue. The identifier of the patch is 8398d96ff0fe45ec9267d7259961c2ef89ed8005. It is recommended to upgrade the affected component. The identifier VDB-225321 was assigned to this vulnerability.

Action-Not Available
Vendor-BestWebSoft
Product-contact_formContact Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2012-1636
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.09%
||
7 Day CHG~0.00%
Published-01 Oct, 2012 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors.

Action-Not Available
Vendor-luke_herringtonn/aThe Drupal Association
Product-drupalstickynoten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2012-10017
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.85%
||
7 Day CHG~0.00%
Published-26 Dec, 2023 | 10:00
Updated-21 Nov, 2024 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BestWebSoft Portfolio Plugin cross-site request forgery

A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.04 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.06 is able to address this issue. The patch is named 68af950330c3202a706f0ae9bbb52ceaa17dda9d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248955.

Action-Not Available
Vendor-BestWebSoft
Product-portfolioPortfolio Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-34661
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 28.80%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 12:23
Updated-23 May, 2025 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Fusion Lite <= 3.37.18 Cross-Site Request Forgery to Data Deletion

The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.

Action-Not Available
Vendor-verygoodpluginsVery Good Plugins
Product-wp_fusionWP Fusion Lite
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2012-10015
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.71%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 23:31
Updated-06 Aug, 2024 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BestWebSoft Twitter Plugin Settings Page twitter.php twttr_settings_page cross-site request forgery

A vulnerability was found in BestWebSoft Twitter Plugin up to 2.14 on WordPress. It has been classified as problematic. Affected is the function twttr_settings_page of the file twitter.php of the component Settings Page. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 2.15 is able to address this issue. The patch is identified as a6d4659cbb2cbf18ccb0fb43549d5113d74e0146. It is recommended to upgrade the affected component. VDB-230154 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-BestWebSoft
Product-twitterTwitter Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-34547
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.79%
||
7 Day CHG~0.00%
Published-10 Jun, 2021 | 13:49
Updated-04 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation.

Action-Not Available
Vendor-paesslern/a
Product-prtg_network_monitorn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2012-10012
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.25%
||
7 Day CHG~0.00%
Published-09 Apr, 2023 | 23:31
Updated-06 Aug, 2024 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BestWebSoft Facebook Like Button facebook-button-plugin.php fcbk_bttn_plgn_settings_page cross-site request forgery

A vulnerability has been found in BestWebSoft Facebook Like Button up to 2.13 and classified as problematic. Affected by this vulnerability is the function fcbk_bttn_plgn_settings_page of the file facebook-button-plugin.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The patch is named 33144ae5a45ed07efe7fceca901d91365fdbf7cb. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-225355.

Action-Not Available
Vendor-BestWebSoft
Product-facebook_buttonFacebook Like Button
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-32730
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.17% / 38.66%
||
7 Day CHG~0.00%
Published-01 Jul, 2021 | 17:30
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
No CSRF protection on the password change form

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. The problem has been patched in XWiki 12.10.5 and 13.2RC1. As a workaround, it is possible to apply the patch manually by modifying the `register_macros.vm` template.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-32632
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.4||LOW
EPSS-0.15% / 35.94%
||
7 Day CHG~0.00%
Published-20 May, 2021 | 16:10
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSRF allowing modification of commands, modules, banphrases through hidden iFrames

Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add one modern dependency.

Action-Not Available
Vendor-pajbotpajbot
Product-pajbotpajbot
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-32991
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.85%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 17:12
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally.

Action-Not Available
Vendor-n/aDelta Electronics, Inc.
Product-diaenergieDelta Electronics DIAEnergie
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-31678
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.32%
||
7 Day CHG~0.00%
Published-06 Jul, 2022 | 12:17
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's company.

Action-Not Available
Vendor-pescmsn/a
Product-pescms_teamn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2011-5250
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.20%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 22:38
Updated-07 Aug, 2024 | 00:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Snare for Linux before 1.7.0 has CSRF in the web interface.

Action-Not Available
Vendor-prophecyinternationaln/a
Product-snaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29816
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.43%
||
7 Day CHG~0.00%
Published-23 Sep, 2021 | 18:05
Updated-16 Sep, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204341.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-linux_kernelaixwindowsjazz_for_service_managementJazz for Service Management
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29757
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.73%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 16:00
Updated-16 Sep, 2024 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202168.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_user_behavior_analyticsQRadar User Behavior Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-3876
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-0.20% / 42.61%
||
7 Day CHG~0.00%
Published-01 Apr, 2019 | 14:15
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_container_platformweb-console
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-30112
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.61%
||
7 Day CHG~0.00%
Published-08 Apr, 2021 | 11:13
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege.

Action-Not Available
Vendor-web-schooln/a
Product-enterprise_resource_planningn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29837
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.94%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 17:10
Updated-17 Sep, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204913.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29400
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.74%
||
7 Day CHG~0.00%
Published-10 Aug, 2021 | 22:30
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authenticated admin visits a malicious third-party site.

Action-Not Available
Vendor-netexplorern/a
Product-my_smtp_contactn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29624
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 48.51%
||
7 Day CHG~0.00%
Published-19 May, 2021 | 21:15
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of protection against cookie tossing attacks in fastify-csrf

fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

Action-Not Available
Vendor-fastifyfastify
Product-fastify-csrffastify-csrf
CWE ID-CWE-565
Reliance on Cookies without Validation and Integrity Checking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 17
  • 18
  • Next
Details not found