Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

GHSA-p8f7-22gq-m7j9: Phoenix before 1.6.14 mishandles check_origin wildcarding

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

ghsa
Open in Source
#csrf#git
CVE-2022-42975: Fix wildcard check_origin vulnerability. · phoenixframework/phoenix@6e7185b

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

CVE-2022-41477: CVE_Request/WeBid_Path_Traversal.md at master · zer0yu/CVE_Request

A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories.

CVE-2022-39308: Releases - Version notes | GoCD

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.

CVE-2022-35611: CVE-ID: CVE-2022-35611

A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards.

CVE-2022-34022: CVE-ID: CVE-2022-34022

SQL injection vulnerability in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via a crafted POST request to /ResiotQueryDBActive.

CVE-2022-41474: There is a CSRF vulnerability that can change the password of any account · Issue #3 · ralap-z/rpcms

RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily change the password of any account.

CVE-2022-41489: IOT_Vulnerability_Discovery/3_csrf.md at main · splashsc/IOT_Vulnerability_Discovery

WAYOS LQ_09 22.03.17V was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to send crafted requests to the server from the affected device. This vulnerability is exploitable due to a lack of authentication in the component Usb_upload.htm.

CVE-2022-41475: There is a CSRF vulnerability that can add an administrator account · Issue #2 · ralap-z/rpcms

RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add an administrator account.

CVE-2022-34020: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series

Cross Site Request Forgery (CSRF) vulnerability in ResIOT ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 allows attackers to add new admin users to the platform or other unspecified impacts.