Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-3932: huntr: Cross-Site Request Forgery (CSRF) PHP Vulnerability in twill

twill is vulnerable to Cross-Site Request Forgery (CSRF)

CVE
#csrf#vulnerability#web
CVE-2020-21141: just_for_fun/ICMS CSRF at master · hxcc/just_for_fun

iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.

CVE-2021-43332: Bug #1949403 “A vulnerability could allow a list moderator to di...” : Bugs : GNU Mailman

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

CVE-2021-43332: Bug #1949403 “A vulnerability could allow a list moderator to di...” : Bugs : GNU Mailman

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

CVE-2020-28137: Offensive Security’s Exploit Database Archive

Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router.

CVE-2021-41426: CSRF уязвимость в роутере Smart box 2.0.38 - CVE-2021-41426

Beeline Smart box 2.0.38 is vulnerable to Cross Site Request Forgery (CSRF) via mgt_end_user.htm.

CVE-2021-40518: HSMX Gateway - Airangel - WiFi solutions

Airangel HSMX Gateway devices through 5.2.04 allow CSRF.

CVE-2021-24801

The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues

CVE-2021-24626: wp-plugin : chameleon-css | Code Vigilant : to err is human.. To fix is Humanity

The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection