The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

CVE-2021-24703

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

**Security announcements****MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events**

*   ◀︎ MSA-21-0041: CSRF risk on delete related badge feature
*   MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts ▶︎

Display mode

**MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events**

by Michael Hawkins - Monday, 15 November 2021, 10:34 PM

Number of replies: 0

Insufficient capability checks made it possible to fetch other users' calendar action events.

_Severity/Risk:_

**Minor**

_Versions affected:_

3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

_Versions fixed:_

**3.11.4, 3.10.8 and 3.9.11**

_Reported by:_

0xkasper

_CVE identifier:_

CVE-2021-43560

_Changes (master):_

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918

_Tracker issue:_

MDL-71918 IDOR in a calendar web service allows fetching of other users' action events

Permalink

*   ◀︎ MSA-21-0041: CSRF risk on delete related badge feature
*   MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts ▶︎

◀︎ Issue Tracker

Jump to...

Social media ▶︎

CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

'2021517?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-43559: Invalid Bug ID

**Security announcements****MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events**

*   ◀︎ MSA-21-0041: CSRF risk on delete related badge feature

Display mode

**MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events**

by Michael Hawkins - Monday, 15 November 2021, 10:34 PM

Number of replies: 0

Insufficient capability checks made it possible to fetch other users' calendar action events.

_Severity/Risk:_

**Minor**

_Versions affected:_

3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

_Versions fixed:_

**3.11.4, 3.10.8 and 3.9.11**

_Reported by:_

0xkasper

_CVE identifier:_

CVE-2021-43560

_Changes (master):_

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918

_Tracker issue:_

MDL-71918 IDOR in a calendar web service allows fetching of other users' action events

Permalink

*   ◀︎ MSA-21-0041: CSRF risk on delete related badge feature

◀︎ Issue Tracker

Jump to...

Social media ▶︎

*   
*   
*   
*   
*   
*   

**Bug 2021517** (CVE-2021-43559, MSA-21-0041) - CVE-2021-43559 moodle: CSRF risk on delete related badge feature

Summary: CVE-2021-43559 moodle: CSRF risk on delete related badge feature

Keywords:

Status:

CLOSED UPSTREAM

Alias:

CVE-2021-43559, MSA-21-0041

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

high

Severity:

high

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

2023829 2023828

Blocks:

2021633

TreeView+

depends on / blocked

Reported:

2021-11-09 14:06 UTC by Guilherme de Almeida Suckevicz

Modified:

2021-11-16 16:31 UTC (History)

CC List:

4 users (show)

Fixed In Version:

moodle 3.11.4, moodle 3.10.8 and moodle 3.9.11

Doc Type:

If docs needed, set a value

Doc Text:

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

Clone Of:

Environment:

Last Closed:

2021-11-16 16:31:19 UTC

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

  

Description Guilherme de Almeida Suckevicz 2021-11-09 14:06:54 UTC

The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

Comment 1 Guilherme de Almeida Suckevicz 2021-11-16 16:20:34 UTC

Created moodle tracking bugs for this issue:

Affects: epel-7 \[bug 2023829\]
Affects: fedora-all \[bug 2023828\]

Comment 2 Product Security DevOps Team 2021-11-16 16:31:17 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2021-43559: 2021517 – (CVE-2021-43559, MSA-21-0041) CVE-2021-43559 moodle: CSRF risk on delete related badge feature

We have already fixed this vulnerability in the following versions of QmailAgent:
QmailAgent 3.0.2 ( 2021/08/25 ) and later


<< Back to Security Advisory List

*   **Release date:** November 19, 2021
*   **Security ID:** QSA-21-49
*   **Severity:** Medium
*   **CVE identifier:** CVE-2021-34358
*   **Affected products:** QNAP NAS running QmailAgent
*   **Status:** Resolved

**Summary**

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in. 

We have already fixed this vulnerability in the following versions of QmailAgent:

*   QmailAgent 3.0.2 (2021/08/25) and later

**Recommendation**

To fix the vulnerability, we recommend updating QmailAgent to the latest version.

**Updating QmailAgent**

1.  Log on to QTS or QuTS hero as administrator.
2.  Open the **App Center** and then click ![](https://www.qnap.com/i/_upload/support/images/magnifier.png).  
    A search box appears.
3.  Type "QmailAgent" and then press **ENTER**.  
    QmailAgent appears in the search results.
4.  Click **Update**.  
    A confirmation message appears.  
    **Note:** The **Update** button is not available if your QmailAgent is already up to date.
5.  Click **OK**.  
    The application is updated.

**Acknowledgements:** Tony Martin, a security researcher

**Revision History:** V1.0 (November 19, 2021) - Published

CVE-2021-34358: CSRF Vulnerability in QmailAgent - Security Advisory

OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.

**The disqualify lead action may be executed without CSRF token check**

**Package**

composer oro/crm (composer)

**Affected versions**

\>=3.1.0, <=3.1.24 || >=4.1.0, <=4.1.15 || >=4.2.0, <=4.2.5

**Patched versions**

4.2.7, 4.1.17

**Description**

**Summary**

The attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack.

**Workarounds**

There are no workarounds that address this vulnerability.

**CVSS Score**

4.2 Moderate

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

CVE-2021-39198: Build software better, together

Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning.

CVE-2021-44037: Team Password Manager Change log

The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.

CVE-2021-42363: Vulnerability Advisories - Wordfence

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Valid

Reported on

Nov 15th 2021

**Description**

CSRF in deleting invoice templates

**Proof of Concept**

    <a href="https://[KIMAi_URL]/en/invoice/template/7/delete">CLICK ME!</a>
    

**Impact**

This vulnerability is capable of tricking admin user to delete invoice templates.

**Occurences**

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. 3 days ago

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 2 days ago

![](https://avatars.githubusercontent.com/u/533162?v=4)

![](https://avatars.githubusercontent.com/u/533162?v=4)

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/533162?v=4)

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. 3 days ago

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 2 days ago

![](https://avatars.githubusercontent.com/u/533162?v=4)

![](https://avatars.githubusercontent.com/u/533162?v=4)

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/533162?v=4)

Tag

#csrf