Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-36886: Contact Form 7 Database Addon – CFDB7

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).

CVE
#xss#csrf#vulnerability
CVE-2021-43158: CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart · Issue #2 · projectworldsofficial/online-shopping-webvsite-in-php

In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart.

CVE-2021-43847: Authorization Bypass Through User-Controlled Key in humhub

HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue.

CVE-2021-43846: Protect `Spree::OrdersController#populate` against CSRF attacks · solidusio/solidus@4d17cac

`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.

CVE-2021-35244: Secure Configuration for the Orion Platform

The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.

CVE-2021-36887: tarteaucitron.js – Cookies legislation & GDPR

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass".

CVE-2021-4131

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4130

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-44145: Apache NiFi Security Reports

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.