Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2022-4850: chore: fix CSRF (#876) · usememos/memos@c9bb2b7

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

CVE
#csrf#vulnerability#git
CVE-2022-4849

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Stupid security 2022 – this year’s infosec fails

Epic web security fails and salutary lessons from another inevitably eventful year in infosec

GHSA-q9qr-jwpw-3qvv: Golf may allow attacker to bypass CSRF protections

CSRF tokens are generated using math/rand, which is not a cryptographically secure rander number generation, making predicting their values relatively trivial and allowing an attacker to bypass CSRF protections which relatively few requests.

CVE-2019-25091

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

CVE-2016-15005: GO-2020-0045 - Go Packages

CSRF tokens are generated using math/rand, which is not a cryptographically secure rander number generation, making predicting their values relatively trivial and allowing an attacker to bypass CSRF protections which relatively few requests.

CVE-2020-28191: CVE-2020-28191 - GitHub Advisory Database

The console in Togglz before 2.9.4 allows CSRF.

CVE-2022-4266

The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack

CVE-2022-26969: Cross-Origin Resource Sharing (CORS) - HTTP | MDN

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

CVE-2022-44381: CENSUS | IT Security Works

Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.