Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2022-43470: +F(プラスエフ) FS030W 「クロスサイトリクエストフォージェリ」の脆弱性|富士ソフト株式会社

Cross-site request forgery (CSRF) vulnerability in +F FS040U software versions v2.3.4 and earlier, +F FS020W software versions v4.0.0 and earlier, +F FS030W software versions v3.3.5 and earlier, and +F FS040W software versions v1.4.1 and earlier allows an adjacent attacker to hijack the authentication of an administrator and user's unintended operations such as to reboot the product and/or reset the configuration to the initial set-up may be performed.

CVE
#csrf#vulnerability#auth
CVE-2022-43504: WordPress 6.0.3 Security Release

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature.

GHSA-47xh-qxqv-mgvg: kube-httpcache is vulnerable to Cross-Site Request Forgery (CSRF)

### Impact > A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server. > -- https://varnish-cache.org/security/VSV00011.html#vsv00011 ### Patches This is fixed in Varnish 6.0.11; Varnish 6.0.11 is available in `kube-httpcache` versions v0.7.1 and later. ### Workarounds See [upstream mitigation hints](https://varnish-cache.org/security/VSV00011.html#mitigation). ### References - https://varnish-cache.org/security/VSV00011.html#vsv00011

CVE-2022-4220: WP plugin Chained Quiz multiple vulnerabilities

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-45673: VulnerabilityProjectRecords/fromSysToolRestoreSet.md at main · iceyjchen/VulnerabilityProjectRecords

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.

CVE-2022-40849: XSS Stored in the Slideshow Management component. · Issue #737 · thinkcmf/thinkcmf

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).

CVE-2022-40489: I found a CSRF that creates a Super Admin account. · Issue #736 · thinkcmf/thinkcmf

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.