Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2022-42087: myCVE/AX1803-1.md at main · tianhui999/myCVE

Tenda AX1803 US_AX1803v2.0br_v1.0.0.1_2994_CN_ZGYD01_4 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

CVE
Open in Source
#csrf#vulnerability#web#mac#dos
CVE-2022-42086: myCVE/AX1803-2.md at main · tianhui999/myCVE

Tenda AX1803 US_AX1803v2.0br_v1.0.0.1_2994_CN_ZGYD01_4 is vulnerable to Cross Site Request Forgery (CSRF) via function TendaAteMode.

CVE-2022-42078: myCVE/AC1206-2.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.

CVE-2022-42077: myCVE/AC1206-1.md at main · tianhui999/myCVE

Tenda AC1206 US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

GHSA-2p3c-p3qw-69r4: The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

### Impact The [graphql-upload](https://www.npmjs.com/package/graphql-upload) npm package can execute GraphQL operations contained in `content-type: multipart/form-data` POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use `content-type: multipart/form-data`, they can be "simple requests" which are not preflighted by browsers. If your GraphQL server uses `graphql-upload` and uses `SameSite=None` cookies for authentication, then JS on any origin can cause browsers to send cookie-authenticated mutations to your GraphQL server, which will be executed without checking your CORS policy first. (The attack won't be able to see the response to the mutation if your CORS policy is set up properly, but the side effects of the mutation will still happen.) Additionally, if your GraphQL server uses `graphql-upload` relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a privat...

CVE-2022-40871: GitHub - youncyb/dolibarr-rce: DOLIBARR ERP & CRM rce

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.

CVE-2021-36915: Profile Builder – User Profile & User Registration Forms

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

GHSA-mwwc-3jv2-62j3: AdGuardHome vulnerable to Cross-Site Request Forgery

In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules. The file that contains the vulnerable code is no longer present as of v0.108.0-b.16.

CVE-2022-32175: AdGuardHome/controlfiltering.go at v0.108.0-b.13 · AdguardTeam/AdGuardHome

In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules.

CVE-2022-32174: gogs/gogs.js at v0.12.10 · gogs/gogs

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.