Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-24688

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)

CVE
Open in Source
#csrf
CVE-2021-25010

The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues

CVE-2021-25011

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.

CVE-2021-24971

The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend

CVE-2022-0345

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).

CVE-2021-3967: Improper Access Control in zulip

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

CVE-2022-0763: Cross-site Scripting (XSS) - Stored in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-24347: JetBrains Security Bulletin Q4 2021 | JetBrains News

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

CVE-2022-24329: JetBrains Security Bulletin Q4 2021 | Company Blog

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

CVE-2022-24947

Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.