Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-24703

The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

CVE
#csrf
CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CVE-2021-43559: Invalid Bug ID

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CVE-2021-43559: 2021517 – (CVE-2021-43559, MSA-21-0041) CVE-2021-43559 moodle: CSRF risk on delete related badge feature

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

CVE-2021-34358: CSRF Vulnerability in QmailAgent - Security Advisory

We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later

CVE-2021-39198: Build software better, together

OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.

CVE-2021-44037: Team Password Manager Change log

Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning.

CVE-2021-42363: Vulnerability Advisories - Wordfence

The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.

CVE-2021-3963: Cross-Site Request Forgery (CSRF) in kimai2

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)