Vulnerabilities (CVE)

Filtered by CWE-352
Total 3844 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-39268 2022-09-30 N/A N/A
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.io
CVE-2021-36855 2022-09-30 N/A N/A
Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
CVE-2021-36854 2022-09-30 N/A N/A
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
CVE-2022-22811 1 Schneider-electric 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more 2022-09-30 8.8 HIGH 8.1 HIGH
A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system?s configurations when an attacker persuades a user to visit a rogue website. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
CVE-2022-29412 1 Hermit Project 1 Hermit 2022-09-30 5.8 MEDIUM 5.4 MEDIUM
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit ????? plugin <= 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source.
CVE-2022-29413 1 Hermit Project 1 Hermit 2022-09-30 4.3 MEDIUM 6.1 MEDIUM
Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter.
CVE-2021-22724 1 Schneider-electric 12 Evb1a, Evb1a Firmware, Evc1s22p4 and 9 more 2022-09-28 6.8 MEDIUM 8.8 HIGH
A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
CVE-2021-22725 1 Schneider-electric 12 Evb1a, Evb1a Firmware, Evc1s22p4 and 9 more 2022-09-28 6.8 MEDIUM 8.8 HIGH
A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
CVE-2021-24890 1 Dplugins 1 Scripts Organizer 2022-09-28 N/A 8.8 HIGH
The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
CVE-2022-2405 1 Themehunk 1 Wp Popup Builder 2022-09-28 N/A 4.3 MEDIUM
The WP Popup Builder WordPress plugin through 1.2.8 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup
CVE-2022-3119 1 Oauth Client Single Sign On Project 1 Oauth Client Single Sign On 2022-09-28 N/A 7.5 HIGH
The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address
CVE-2022-3024 1 Simple Bitcoin Faucets Project 1 Simple Bitcoin Faucets 2022-09-28 N/A 5.4 MEDIUM
The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
CVE-2022-2987 1 Ldap Wp Login \/ Active Directory Integration Project 1 Ldap Wp Login \/ Active Directory Integration 2022-09-28 N/A 7.5 HIGH
The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication
CVE-2022-3025 1 Bitcoin\/altcoin Faucet Project 1 Bitcoin\/altcoin Faucet 2022-09-28 N/A 5.4 MEDIUM
The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
CVE-2020-18151 1 Thinkcmf 1 Thinkcmf 2022-09-27 4.3 MEDIUM 6.5 MEDIUM
Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.
CVE-2014-9129 1 Cminds 1 Cm Download Manager 2022-09-27 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.
CVE-2022-3098 1 Gunkastudios 1 Login Block Ips 2022-09-27 N/A 4.3 MEDIUM
The Login Block IPs WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2022-38085 1 Read More By Adam Project 1 Read More By Adam 2022-09-26 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in Read more By Adam plugin <= 1.1.8 at WordPress.
CVE-2022-40132 1 Castos 1 Seriously Simple Podcasting 2022-09-26 N/A 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to plugin settings change.
CVE-2022-40671 1 Blazzdev 1 Rate My Post - Wp Rating System 2022-09-26 N/A 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress.