| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0. |
| An issue was discovered in Listary through 6. Improper implementation of the update process leads to the download of software updates with a /check-update HTTP-based connection. This can be exploited with MITM techniques. Together with the lack of package validation, it can lead to manipulation of update packages that can cause an installation of malicious content. |
| A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL. |
| Airangel HSMX Gateway devices through 5.2.04 allow CSRF. |
| A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions. |
| Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. |
| Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. |
| Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. |
| An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. |
| showdoc is vulnerable to Cross-Site Request Forgery (CSRF) |
| elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) |
| bookstack is vulnerable to Cross-Site Request Forgery (CSRF) |
| twill is vulnerable to Cross-Site Request Forgery (CSRF) |
| snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) |
