Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2022-3082

The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example

CVE
Open in Source
#csrf#wordpress#auth
GHSA-p8f7-22gq-m7j9: Phoenix before 1.6.14 mishandles check_origin wildcarding

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

CVE-2022-42975: Fix wildcard check_origin vulnerability. · phoenixframework/phoenix@6e7185b

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

CVE-2022-41477: CVE_Request/WeBid_Path_Traversal.md at master · zer0yu/CVE_Request

A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories.

CVE-2022-39308: Releases - Version notes | GoCD

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.

CVE-2022-35611: CVE-ID: CVE-2022-35611

A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards.

CVE-2022-34022: CVE-ID: CVE-2022-34022

SQL injection vulnerability in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via a crafted POST request to /ResiotQueryDBActive.

CVE-2022-41474: There is a CSRF vulnerability that can change the password of any account · Issue #3 · ralap-z/rpcms

RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily change the password of any account.

CVE-2022-41489: IOT_Vulnerability_Discovery/3_csrf.md at main · splashsc/IOT_Vulnerability_Discovery

WAYOS LQ_09 22.03.17V was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to send crafted requests to the server from the affected device. This vulnerability is exploitable due to a lack of authentication in the component Usb_upload.htm.

CVE-2022-41475: There is a CSRF vulnerability that can add an administrator account · Issue #2 · ralap-z/rpcms

RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add an administrator account.