Vulnerabilities (CVE)

Filtered by CWE-352
Total 3631 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-31000 1 Nebulab 1 Solidus 2022-06-08 4.3 MEDIUM 4.3 MEDIUM
solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.
CVE-2022-1611 1 Bulk Page Creator Project 1 Bulk Page Creator 2022-06-08 6.8 MEDIUM 8.8 HIGH
The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF.
CVE-2021-34360 1 Qnap 4 Nas Proxy Server, Qts, Quts Hero and 1 more 2022-06-07 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later
CVE-2022-29002 1 Xuxueli 1 Xxl-job 2022-06-07 6.8 MEDIUM 8.8 HIGH
A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
CVE-2021-38886 2 Ibm, Netapp 2 Cognos Analytics, Oncommand Insight 2022-06-03 6.8 MEDIUM 8.8 HIGH
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399.
CVE-2022-0830 1 Formbuilder Project 1 Formbuilder 2022-06-03 4.3 MEDIUM 6.5 MEDIUM
The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.
CVE-2021-43952 1 Atlassian 2 Jira Data Center, Jira Server 2022-06-03 4.3 MEDIUM 4.3 MEDIUM
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0.
CVE-2022-27632 1 Meikyo 30 Poe Boot Nino Poe8m2, Poe Boot Nino Poe8m2 Firmware, Pose Se10-8a7b1 and 27 more 2022-06-02 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page.
CVE-2020-2196 1 Jenkins 1 Selenium 2022-06-01 6.0 MEDIUM 8.0 HIGH
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
CVE-2022-22778 1 Tibco 1 Businessconnect Trading Community Management 2022-05-31 6.8 MEDIUM 8.8 HIGH
The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below.
CVE-2022-30014 1 Simple Food Website Project 1 Simple Food Website 2022-05-30 6.8 MEDIUM 8.8 HIGH
Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.
CVE-2022-29427 1 Disable Right Click For Wp Wordpress 1 Disable Right Click For Wp 2022-05-26 6.8 MEDIUM 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress.
CVE-2022-29430 1 Png To Jpg Project 1 Png To Jpg 2022-05-26 4.3 MEDIUM 6.1 MEDIUM
Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality.
CVE-2022-29431 1 Kubiq 1 Cpt Base 2022-05-26 5.8 MEDIUM 5.4 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.
CVE-2022-30953 1 Jenkins 1 Blue Ocean 2022-05-26 4.3 MEDIUM 6.5 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.
CVE-2022-28992 1 Online Banquet Booking System Project 1 Online Banquet Booking System 2022-05-26 6.8 MEDIUM 8.8 HIGH
A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.
CVE-2022-28921 1 Blogengine 1 Blogengine.net 2022-05-26 4.3 MEDIUM 6.5 MEDIUM
A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server.
CVE-2022-30946 1 Jenkins 1 Script Security 2022-05-26 4.3 MEDIUM 4.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
CVE-2021-29995 1 Cloverdx 1 Cloverdx 2022-05-25 6.8 MEDIUM 8.8 HIGH
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1.
CVE-2022-29436 1 Code Snippets Extended Project 1 Code Snippets Extended 2022-05-25 4.3 MEDIUM 6.1 MEDIUM
Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code).