Total
7651 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30705 | 1 Wordpress Ping Optimizer Project | 1 Wordpress Ping Optimizer | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions. | |||||
| CVE-2022-30694 | 1 Siemens | 223 6ag1151-8ab01-7ab0, 6ag1151-8ab01-7ab0 Firmware, 6ag1151-8fb01-2ab0 and 220 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| The login endpoint /FormLogin in affected web services does not apply proper origin checking. This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack. | |||||
| CVE-2022-30544 | 1 Hyumika | 1 Openstreetmap | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in MiKa's OSM – OpenStreetMap plugin <= 6.0.1 versions. | |||||
| CVE-2022-30337 | 1 Joomunited | 1 Wp Meta Seo | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings. | |||||
| CVE-2022-30328 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The username and password setup for the web interface does not require entering the existing password. A malicious user can change the username and password of the interface. | |||||
| CVE-2022-30327 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The web interface is vulnerable to CSRF. An attacker can change the pre-shared key of the Wi-Fi router if the interface's IP address is known. | |||||
| CVE-2022-30280 | 1 Nokia | 1 Netact | 2024-11-21 | N/A | 8.8 HIGH |
| /SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. | |||||
| CVE-2022-30014 | 1 Simple Food Website Project | 1 Simple Food Website | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. | |||||
| CVE-2022-2986 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 8.8 HIGH |
| Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. | |||||
| CVE-2022-2839 | 1 Zephyr-one | 1 Zephyr Project Manager | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. | |||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
| CVE-2022-2657 | 1 Wc-marketplace | 1 Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF | |||||
| CVE-2022-2555 | 1 Yotpo Reviews For Woocommerce Project | 1 Yotpo Reviews For Woocommerce | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2022-2540 | 1 Link Optimizer Lite Project | 1 Link Optimizer Lite | 2024-11-21 | N/A | 8.8 HIGH |
| The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-2441 | 1 Orangelab | 1 Imagemagick Engine | 2024-11-21 | N/A | 8.8 HIGH |
| The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server. | |||||
| CVE-2022-2432 | 1 Lightspeedhq | 1 Ecwid Ecommerce Shopping Cart | 2024-11-21 | N/A | 8.8 HIGH |
| The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.10.23. This is due to missing or incorrect nonce validation on the ecwid_update_plugin_params function. This makes it possible for unauthenticated attackers to update plugin options granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-2389 | 1 Funnelkit | 1 Funnelkit Automations | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations | |||||
| CVE-2022-2388 | 1 Wow-company | 1 Wp Coder | 2024-11-21 | N/A | 6.5 MEDIUM |
| The WP Coder WordPress plugin before 2.5.3 does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack | |||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | |||||
| CVE-2022-2381 | 1 E Unlocked - Student Result Project | 1 E Unlocked - Student Result | 2024-11-21 | N/A | 8.8 HIGH |
| The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack | |||||