Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30280 | 1 Nokia | 1 Netact | 2023-08-02 | N/A | 8.8 HIGH |
| /SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. | |||||
| CVE-2023-36162 | 1 Zzcms | 1 Zzcms | 2023-08-01 | N/A | 8.8 HIGH |
| Cross Site Request Forgery vulnerability in ZZCMS v.2023 and earlier allows a remote attacker to gain privileges via the add function in adminlist.php. | |||||
| CVE-2023-3841 | 1 Nxfilter | 1 Nxfilter | 2023-07-28 | N/A | 8.8 HIGH |
| A vulnerability has been found in NxFilter 4.3.2.5 and classified as problematic. This vulnerability affects unknown code of the file user.jsp. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The identifier of this vulnerability is VDB-235192. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-25482 | 1 Keetrax | 1 Wp Tiles | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Mike Martel WP Tiles plugin <= 1.1.2 versions. | |||||
| CVE-2023-25475 | 1 Smart Youtube Pro Project | 1 Smart Youtube Pro | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Smart YouTube PRO plugin <= 4.3 versions. | |||||
| CVE-2023-32761 | 1 Archerirm | 1 Archer | 2023-07-27 | N/A | 8.0 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in Archer Platform before v.6.13 and fixed in v.6.12.0.6 and v.6.13.0 allows an authenticated attacker to execute arbitrary code via a crafted request. | |||||
| CVE-2023-25473 | 1 Flickr Justified Gallery Project | 1 Flickr Justified Gallery | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Miro Mannino Flickr Justified Gallery plugin <= 3.5 versions. | |||||
| CVE-2022-45828 | 1 Nootheme | 1 Noo Timetable | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in NooTheme Noo Timetable plugin <= 2.1.3 versions. | |||||
| CVE-2022-46857 | 1 Sitealert | 1 Sitealert | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in SiteAlert plugin <= 1.9.7 versions. | |||||
| CVE-2023-36511 | 1 Woocommerce | 1 Woocommerce Order Barcodes | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Order Barcodes plugin <= 1.6.4 versions. | |||||
| CVE-2023-36514 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Shipping Multiple Addresses plugin <= 3.8.5 versions. | |||||
| CVE-2023-37968 | 1 Faboba | 1 Falang | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage for WordPress plugin <= 1.3.39 versions. | |||||
| CVE-2023-36513 | 1 Woocommerce | 1 Automatewoo | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce AutomateWoo plugin <= 5.7.5 versions. | |||||
| CVE-2023-37985 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in FiveStarPlugins Restaurant Menu and Food Ordering plugin <= 2.4.6 versions. | |||||
| CVE-2023-37974 | 1 Wp Social Autoconnect Project | 1 Wp Social Autoconnect | 2023-07-27 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Justin Klein WP Social AutoConnect plugin <= 4.6.1 versions. | |||||
| CVE-2023-38349 | 1 Pnp4nagios | 1 Pnp4nagios | 2023-07-26 | N/A | 8.8 HIGH |
| PNP4Nagios through 81ebfc5 lacks CSRF protection in the AJAX controller. This affects 0.6.26. | |||||
| CVE-2023-31216 | 1 Ultimatemember | 1 Ultimate Member | 2023-07-26 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions. | |||||
| CVE-2023-37650 | 1 Agentejo | 1 Cockpit | 2023-07-26 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands. | |||||
| CVE-2021-31584 | 1 Sipwise | 1 Next Generation Communication Platform | 2022-07-30 | 6.8 MEDIUM | 8.8 HIGH |
| Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges. | |||||
| CVE-2019-5963 | 1 Zoho | 1 Salesiq | 2022-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2022-35285 | 2 Ibm, Linux | 2 Security Verify Information Queue, Linux Kernel | 2022-07-29 | N/A | 8.8 HIGH |
| IBM Security Verify Information Queue 10.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 230812. | |||||
| CVE-2021-24626 | 1 Chameleon Css Project | 1 Chameleon Css | 2022-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection | |||||
| CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2022-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24639 | 1 Ffw | 1 Omgf | 2022-07-29 | 5.5 MEDIUM | 8.1 HIGH |
| The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. | |||||
| CVE-2021-24581 | 1 Blue-admin Project | 1 Blue-admin | 2022-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24555 | 1 Roosty | 1 Diary-availability-calendar | 2022-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user. | |||||
| CVE-2021-24565 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2022-07-28 | 6.8 MEDIUM | 8.8 HIGH |
| The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2022-34367 | 1 Dell | 1 Emc Data Protection Central | 2022-07-27 | N/A | 8.8 HIGH |
| Dell EMC Data Protection Central versions 19.1, 19.2, 19.3, 19.4, 19.5, 19.6, contain(s) a Cross-Site Request Forgery Vulnerability. A(n) remote unauthenticated attacker could potentially exploit this vulnerability, leading to processing of unintended server operations. | |||||
| CVE-2022-20861 | 1 Cisco | 1 Nexus Dashboard | 2022-07-27 | N/A | 8.8 HIGH |
| Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-32320 | 2 Ferdium, Getferdi | 2 Ferdium, Ferdi | 2022-07-25 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in Ferdi through 5.8.1 and Ferdium through 6.0.0-nightly.98 allows attackers to read files via an uploaded file such as a settings/preferences file. | |||||
| CVE-2022-2001 | 1 Devrix | 1 Dx Share Selection | 2022-07-25 | N/A | 8.8 HIGH |
| The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-2435 | 1 Anymind | 1 Anymind Widget | 2022-07-25 | N/A | 8.8 HIGH |
| The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1912 | 1 Smartsoft | 1 Button Widget Smartsoft | 2022-07-25 | N/A | 8.8 HIGH |
| The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1672 | 1 Insights From Google Pagespeed Project | 1 Insights From Google Pagespeed | 2022-07-18 | 6.8 MEDIUM | 8.8 HIGH |
| The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks | |||||
| CVE-2020-35773 | 1 Freehtmldesigns | 1 Site Offline | 2022-07-17 | 6.8 MEDIUM | 8.8 HIGH |
| The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF. | |||||
| CVE-2022-25192 | 1 Jenkins | 1 Snow Commander | 2022-07-13 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2021-23163 | 1 Jfrog | 1 Artifactory | 2022-07-13 | 6.8 MEDIUM | 8.8 HIGH |
| JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.33.6 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x. | |||||
| CVE-2021-46366 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials. | |||||
| CVE-2022-34792 | 1 Jenkins | 1 Recipe | 2022-07-08 | 6.0 MEDIUM | 8.0 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML. | |||||
| CVE-2017-20120 | 1 Trueconf | 1 Server | 2022-07-07 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-34134 | 1 Jorani Project | 1 Jorani | 2022-07-06 | 6.8 MEDIUM | 8.8 HIGH |
| Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php. | |||||
| CVE-2020-18648 | 1 Juqingcms | 1 Juqingcms | 2022-07-06 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in JuQingCMS v1.0 allows remote attackers to gain local privileges via the component "JuQingCMS_v1.0/admin/index.php?c=administrator&a=add". | |||||
| CVE-2021-1257 | 5 Apple, Cisco, Linux and 2 more | 5 Macos, Dna Center, Linux Kernel and 2 more | 2022-07-01 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands. | |||||
| CVE-2022-33121 | 1 1234n | 1 Minicms | 2022-06-30 | 5.8 MEDIUM | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. | |||||
| CVE-2020-25252 | 1 Hyland | 1 Onbase | 2022-06-30 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account). | |||||
| CVE-2017-20090 | 1 Global Content Blocks Project | 1 Global Content Blocks | 2022-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Global Content Blocks Plugin 2.1.5. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. | |||||
| CVE-2022-34203 | 1 Jenkins | 1 Easyqa | 2022-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-26173 | 1 Jforum | 1 Jforum | 2022-06-28 | 6.8 MEDIUM | 8.8 HIGH |
| JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts. | |||||
| CVE-2017-20062 | 1 Elefantcms | 1 Elefant Cms | 2022-06-27 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Elefant CMS 1.3.12-RC and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20048 | 1 Axis | 12 M3005, M3005 Firmware, M3007 and 9 more | 2022-06-24 | 9.3 HIGH | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in AXIS P1204, P3225, P3367, M3045, M3005 and M3007. Affected by this issue is some unknown functionality of the component Script Editor. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | |||||