Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-25032: Changeset 2640161 – WordPress Plugin Repository

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.

CVE
#csrf
CVE-2021-25053: Changeset 2641650 for wp-coder – WordPress Plugin Repository

The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

CVE-2021-46147: ⚓ T293341 MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147)

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.

CVE-2021-34086: Ultimaker 3

In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.

CVE-2021-31589

BeyondTrust Secure Remote Access Base Software through 6.0.1 allows an attacker to achieve full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. This cross-site-scripting (XSS) vulnerability occurs when it does not properly sanitize an unauthenticated crafted web request to the server

CVE-2021-45452: Archive of security issues | Django documentation

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

CVE-2021-43677: FluxBB 1.5.11 released

Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability.

CVE-2020-29292: GitHub - Nitya91/iBall-WRD12EN-1.0.0

iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.

CVE-2020-21236: DamiCMS-v6.0.0-have-csrf-and-xss-Vulnerabilities-/README.md at master · wind-cyber/DamiCMS-v6.0.0-have-csrf-and-xss-Vulnerabilities-

A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.