ReportizFlow
Filtered by vendor
Subscriptions
Total
8331 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41273 | 1 Pterodactyl | 1 Panel | 2024-11-21 | 4.3 Medium |
| Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems. | ||||
| CVE-2021-41260 | 1 Galette | 1 Galette | 2024-11-21 | 8.2 High |
| Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue. | ||||
| CVE-2021-41176 | 1 Pterodactyl | 1 Panel | 2024-11-21 | 4.3 Medium |
| Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3. | ||||
| CVE-2021-41113 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 8.8 High |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as described in TYPO3-CORE-SA-2020-006 (CVE-2020-11069). However, it is not limited to the same site context and does not require the attacker to be authenticated. In a worst case scenario, the attacker could create a new admin user account to compromise the system. To successfully carry out an attack, an attacker must trick his victim to access a compromised system. The victim must have an active session in the TYPO3 backend at that time. The following Same-Site cookie settings in $GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite] are required for an attack to be successful: SameSite=strict: malicious evil.example.org invoking TYPO3 application at good.example.org and SameSite=lax or none: malicious evil.com invoking TYPO3 application at example.org. Update your instance to TYPO3 version 11.5.0 which addresses the problem described. | ||||
| CVE-2021-41083 | 1 Dadamailproject | 1 Dada Mail | 2024-11-21 | 8 High |
| Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0. | ||||
| CVE-2021-40965 | 1 Tinyfilemanager Project | 1 Tinyfilemanager | 2024-11-21 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | ||||
| CVE-2021-40662 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL. | ||||
| CVE-2021-40518 | 1 Airangel | 10 Hsmx-app-100, Hsmx-app-1000, Hsmx-app-1000 Firmware and 7 more | 2024-11-21 | 6.5 Medium |
| Airangel HSMX Gateway devices through 5.2.04 allow CSRF. | ||||
| CVE-2021-40335 | 1 Hitachienergy | 2 Modular Switchgear Monitoring, Modular Switchgear Monitoring Firmware | 2024-11-21 | 5 Medium |
| A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions. | ||||
| CVE-2021-40174 | 1 Zohocorp | 1 Manageengine Log360 | 2024-11-21 | 8.8 High |
| Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. | ||||
| CVE-2021-40173 | 1 Zohocorp | 1 Manageengine Cloud Security Plus | 2024-11-21 | 8.8 High |
| Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. | ||||
| CVE-2021-40172 | 1 Zohocorp | 1 Manageengine Log360 | 2024-11-21 | 8.8 High |
| Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. | ||||
| CVE-2021-40108 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 8.8 High |
| An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. | ||||
| CVE-2021-3993 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 6.5 Medium |
| showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3976 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 6.5 Medium |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3963 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 Medium |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3957 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 Medium |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3944 | 1 Bookstackapp | 1 Bookstack | 2024-11-21 | 6.8 Medium |
| bookstack is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3932 | 1 Area17 | 1 Twill | 2024-11-21 | 4.3 Medium |
| twill is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3931 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.3 Medium |
| snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | ||||