Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-3957: prevent csrf to flush logs (#2930) · kevinpapst/kimai2@6b49535

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

CVE
#csrf
CVE-2021-3976: version 1.16.2 (#2942) · kevinpapst/kimai2@b28e9c1

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-36908: Critical Security Vulnerability Fixed In WP Reset PRO - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.

CVE-2021-36908: Changelog - WP Reset

Cross-Site Request Forgery (CSRF) vulnerability leading to Database Reset in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows attackers to trick authenticated into making unintentional database reset.

CVE-2021-41165: ckeditor4/CHANGES.md at major · ckeditor/ckeditor4

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CVE-2021-41275: [PATCH] Fix account takeover through CSRF attack · spree/spree_auth_devise@adf6ed4

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more wor...

CVE-2021-41275: [PATCH] Fix account takeover through CSRF attack · spree/spree_auth_devise@adf6ed4

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more wor...

CVE-2021-41165: ckeditor4/CHANGES.md at major · ckeditor/ckeditor4

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CVE-2021-42362: Vulnerability Advisories - Wordfence

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.

CVE-2021-42362: Vulnerability Advisories - Wordfence

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.