Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-24641

The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion

CVE
#csrf#web
CVE-2021-24668

The MAZ Loader WordPress plugin through 1.3.4 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack

CVE-2021-24703

The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CVE-2021-43559: Invalid Bug ID

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CVE-2021-43559: 2021517 – (CVE-2021-43559, MSA-21-0041) CVE-2021-43559 moodle: CSRF risk on delete related badge feature

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

CVE-2021-34358: CSRF Vulnerability in QmailAgent - Security Advisory

We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later

CVE-2021-39198: Build software better, together

OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.

CVE-2021-44037: Team Password Manager Change log

Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning.