Total
7609 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45673 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-04-24 | 6.5 Medium |
| Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet. | ||||
| CVE-2022-45668 | 1 Tenda | 2 I22, I22 Firmware | 2025-04-24 | 6.5 Medium |
| Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot. | ||||
| CVE-2024-0660 | 1 Strategy11 | 1 Formidable Forms | 2025-04-24 | 6.1 Medium |
| The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-24884 | 1 Ari-soft | 1 Contact Form 7 Connector | 2025-04-24 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ARI Soft Contact Form 7 Connector.This issue affects Contact Form 7 Connector: from n/a through 1.2.2. | ||||
| CVE-2023-52431 | 2 Plack\, Plack Middleware | 2 \, Xsrf Block Package For Perl | 2025-04-24 | 8.8 High |
| The Plack::Middleware::XSRFBlock package before 0.0.19 for Perl allows attackers to bypass a CSRF protection mechanism via an empty form value and an empty cookie (if signed cookies are disabled). | ||||
| CVE-2022-43470 | 1 Fsi | 8 Fs020w, Fs020w Firmware, Fs030w and 5 more | 2025-04-24 | 7.3 High |
| Cross-site request forgery (CSRF) vulnerability in +F FS040U software versions v2.3.4 and earlier, +F FS020W software versions v4.0.0 and earlier, +F FS030W software versions v3.3.5 and earlier, and +F FS040W software versions v1.4.1 and earlier allows an adjacent attacker to hijack the authentication of an administrator and user's unintended operations such as to reboot the product and/or reset the configuration to the initial set-up may be performed. | ||||
| CVE-2024-25982 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2025-04-24 | 4.3 Medium |
| The link to update all installed language packs did not include the necessary token to prevent a CSRF risk. | ||||
| CVE-2021-29050 | 1 Liferay | 2 Dxp, Portal | 2025-04-24 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page. | ||||
| CVE-2020-11919 | 1 Svakom | 2 Svakom Siime Eye, Svakom Siime Eye Firmware | 2025-04-24 | 8 High |
| An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. | ||||
| CVE-2024-56116 | 1 Amiro | 1 Amiro.cms | 2025-04-23 | 8.8 High |
| A Cross-Site Request Forgery vulnerability in Amiro.CMS before 7.8.4 allows remote attackers to create an administrator account. | ||||
| CVE-2024-25905 | 1 Mondula | 1 Multi Step Form | 2025-04-23 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi Step Form.This issue affects Multi Step Form: from n/a through 1.7.18. | ||||
| CVE-2021-39864 | 1 Adobe | 2 Commerce, Magento Open Source | 2025-04-23 | 6.5 Medium |
| Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. | ||||
| CVE-2022-23601 | 1 Sensiolabs | 1 Symfony | 2025-04-23 | 8.1 High |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2022-21703 | 4 Fedoraproject, Grafana, Netapp and 1 more | 4 Fedora, Grafana, E-series Performance Analyzer and 1 more | 2025-04-23 | 6.3 Medium |
| Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. | ||||
| CVE-2025-28101 | 1 Dogukanurker | 1 Flaskblog | 2025-04-23 | 6.5 Medium |
| An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request. | ||||
| CVE-2022-24712 | 1 Codeigniter | 1 Codeigniter | 2025-04-23 | 6.3 Medium |
| CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF protection may be bypassed. If auto-routing is enabled, check the request method in the controller method before processing. If auto-routing is disabled, either avoid using `$routes->add()` and instead use HTTP verbs in routes; or check the request method in the controller method before processing. | ||||
| CVE-2025-29722 | 1 Yassmittal | 1 Commercify | 2025-04-23 | 6.3 Medium |
| A CSRF vulnerability in Commercify v1.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users. The issue exists due to missing CSRF protection on sensitive endpoints. | ||||
| CVE-2022-24879 | 1 Shopware | 1 Shopware | 2025-04-23 | 7.5 High |
| Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. | ||||
| CVE-2022-38144 | 1 Gvectors | 1 Wpforo Forum | 2025-04-23 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress. | ||||
| CVE-2022-29450 | 1 Admin Management Xtended Project | 1 Admin Management Xtended | 2025-04-23 | 5.4 Medium |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress. | ||||