Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-43158: CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart · Issue #2 · projectworldsofficial/online-shopping-webvsite-in-php

In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart.

CVE
#csrf#vulnerability#web#git#java
CVE-2021-43847: Authorization Bypass Through User-Controlled Key in humhub

HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue.

CVE-2021-43846: Protect `Spree::OrdersController#populate` against CSRF attacks · solidusio/solidus@4d17cac

`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.

CVE-2021-35244: Secure Configuration for the Orion Platform

The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.

CVE-2021-36887: tarteaucitron.js – Cookies legislation & GDPR

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass".

CVE-2021-4131

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4130

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-44145: Apache NiFi Security Reports

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

CVE-2021-26800: User Management System in PHP using Stored Procedure |User Management System using Stored Procedure - PHPGurukul

Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.

CVE-2021-41260: Build software better, together

Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue.