Search
Total
904 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5382 | 1 Funnelforms | 1 Funnelforms | 2023-11-27 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-6197 | 1 Myaudiomerchant | 1 Audio Merchant | 2023-11-25 | N/A | 5.4 MEDIUM |
| The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the audio_merchant_save_settings function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-20612 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2023-11-22 | 2.6 LOW | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set. | |||||
| CVE-2022-20613 | 2 Jenkins, Oracle | 2 Mailer, Communications Cloud Native Core Automated Test Suite | 2023-11-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. | |||||
| CVE-2022-36911 | 1 Jenkins | 1 Openstack Heat | 2023-11-22 | N/A | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-36887 | 1 Jenkins | 1 Job Configuration History | 2023-11-22 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier allows attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations. | |||||
| CVE-2022-36886 | 1 Jenkins | 1 External Monitor Job Type | 2023-11-22 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier allows attackers to create runs of an external job. | |||||
| CVE-2022-34815 | 1 Jenkins | 1 Request Rename Or Delete | 2023-11-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier allows attackers to accept pending requests, thereby renaming or deleting jobs. | |||||
| CVE-2022-34812 | 1 Jenkins | 1 Xpath Configuration Viewer | 2023-11-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers to create and delete XPath expressions. | |||||
| CVE-2022-34817 | 1 Jenkins | 1 Failed Job Deactivator | 2023-11-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier allows attackers to disable jobs. | |||||
| CVE-2022-34797 | 1 Jenkins | 1 Deployment Dashboard | 2023-11-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials. | |||||
| CVE-2023-4689 | 1 Webtechstreet | 1 Elementor Addon Elements | 2023-11-21 | N/A | 4.3 MEDIUM |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_elements function. This makes it possible for unauthenticated attackers to enable/disable elementor addon elements via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4690 | 1 Webtechstreet | 1 Elementor Addon Elements | 2023-11-21 | N/A | 4.3 MEDIUM |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_config function. This makes it possible for unauthenticated attackers to change configuration settings for the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-28143 | 1 Jenkins | 1 Proxmox | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | |||||
| CVE-2022-28138 | 1 Jenkins | 1 Rocketchat Notifier | 2023-11-17 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential. | |||||
| CVE-2023-5900 | 1 Sfu | 1 Pkp Web Application Library | 2023-11-16 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-48063 | 1 Dreamer Cms Project | 1 Dreamer Cms | 2023-11-16 | N/A | 4.3 MEDIUM |
| An issue was discovered in dreamer_cms 4.1.3. There is a CSRF vulnerability that can delete a theme project via /admin/category/delete. | |||||
| CVE-2023-45857 | 1 Axios | 1 Axios | 2023-11-16 | N/A | 6.5 MEDIUM |
| An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. | |||||
| CVE-2020-7336 | 1 Mcafee | 1 Network Security Management | 2023-11-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network Security Manager via a carefully crafted HTTP request. | |||||
| CVE-2023-45269 | 1 Coleds | 1 Simple Seo | 2023-11-15 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO plugin <= 2.0.25 versions. | |||||
| CVE-2023-5818 | 1 Gara | 1 Amazonify | 2023-11-15 | N/A | 4.3 MEDIUM |
| The Amazonify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on the amazonifyOptionsPage() function. This makes it possible for unauthenticated attackers to update the plugins settings, including the Amazon Tracking ID, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-5982 | 1 Updraftplus | 1 Updraftplus | 2023-11-15 | N/A | 5.4 MEDIUM |
| The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth' action used to update Google Drive remote storage location. This makes it possible for unauthenticated attackers to modify the Google Drive location that backups are sent to via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can make it possible for attackers to receive backups for a site which may contain sensitive information. | |||||
| CVE-2023-45884 | 1 Nasa | 1 Openmct | 2023-11-15 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the flexibleLayout plugin. | |||||
| CVE-2023-5532 | 1 Imagemapper Project | 1 Imagemapper | 2023-11-14 | N/A | 4.3 MEDIUM |
| The ImageMapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on the 'imgmap_save_area_title' function. This makes it possible for unauthenticated attackers to update the post title and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-5975 | 1 Imagemapper Project | 1 Imagemapper | 2023-11-14 | N/A | 4.3 MEDIUM |
| The ImageMapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-5945 | 1 I13websolution | 1 Video Carousel Slider With Lightbox | 2023-11-13 | N/A | 5.4 MEDIUM |
| The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsive_video_gallery_with_lightbox_video_management_func() function. This makes it possible for unauthenticated attackers to delete videos hosted from the video slider via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-5902 | 1 Sfu | 1 Pkp Web Application Library | 2023-11-13 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2023-3366 | 1 Multiparcels | 1 Multiparcels Shipping For Woocommerce | 2023-08-24 | N/A | 4.3 MEDIUM |
| The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.2 does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack | |||||
| CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2023-08-24 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-4454 | 1 Wallabag | 1 Wallabag | 2023-08-24 | N/A | 5.7 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | |||||
| CVE-2023-4455 | 1 Wallabag | 1 Wallabag | 2023-08-24 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | |||||
| CVE-2023-27520 | 1 Epson | 240 Esifnw1, Esifnw1 Firmware, Esnsb1 and 237 more | 2023-08-24 | N/A | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor. | |||||
| CVE-2023-31218 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2023-08-23 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions. | |||||
| CVE-2023-40351 | 1 Jenkins | 1 Favorite View | 2023-08-22 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar. | |||||
| CVE-2023-40337 | 1 Jenkins | 1 Folders | 2023-08-22 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder. | |||||
| CVE-2023-0058 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2023-0551 | 1 Minapper | 1 Rest Api To Miniprogram | 2023-08-22 | N/A | 5.4 MEDIUM |
| The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments | |||||
| CVE-2023-2271 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 4.3 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack | |||||
| CVE-2023-4277 | 1 Pragmaticmates | 1 Realia | 2023-08-15 | N/A | 6.5 MEDIUM |
| The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-38999 | 1 Opnsense | 1 Opnsense | 2023-08-15 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense before 23.7 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | |||||
| CVE-2023-3492 | 1 Cmscommander | 1 Wp Shopping Pages | 2023-08-09 | N/A | 6.8 MEDIUM |
| The WP Shopping Pages WordPress plugin through 1.14 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2020-36736 | 1 Cartflows | 1 Cartflows | 2023-08-09 | N/A | 4.3 MEDIUM |
| The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. This is due to missing or incorrect nonce validation on the export_json, import_json, and status_logs_file functions. This makes it possible for unauthenticated attackers to import/export settings and trigger logs showing via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2021-37234 | 1 Modern Honey Network Project | 1 Modern Honey Network | 2023-08-08 | N/A | 6.5 MEDIUM |
| Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API. | |||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2023-08-08 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
| CVE-2021-25326 | 1 Skyworthdigital | 2 Rn510, Rn510 Firmware | 2023-08-08 | 3.5 LOW | 5.4 MEDIUM |
| Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web UI password may be disclosed. | |||||
| CVE-2023-32625 | 1 Sakura | 1 Ts Webfonts | 2023-08-07 | N/A | 4.3 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in TS Webfonts for SAKURA 3.1.2 and earlier allows a remote unauthenticated attacker to hijack the authentication of a user and to change settings by having a user view a malicious page. | |||||
| CVE-2020-21881 | 1 Duxcms Project | 1 Duxcms | 2023-08-04 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in admin.php in DuxCMS 2.1 allows remote attackers to modtify application data via article/admin/content/add. | |||||
| CVE-2022-4888 | 1 Addify | 10 Abandoned Cart Recovery, Advanced Free Gifts, Checkout Fields Manager and 7 more | 2023-08-04 | N/A | 6.5 MEDIUM |
| The Checkout Fields Manager WordPress plugin before 1.0.2, Abandoned Cart Recovery WordPress plugin before 1.2.5, Custom Fields for WooCommerce WordPress plugin before 1.0.4, Custom Order Number WordPress plugin through 1.0.1, Custom Registration Forms Builder WordPress plugin before 1.0.2, Advanced Free Gifts WordPress plugin before 1.0.2, Gift Registry for WooCommerce WordPress plugin through 1.0.1, Image Watermark for WooCommerce WordPress plugin before 1.0.1, Order Approval for WooCommerce WordPress plugin before 1.1.0, Order Tracking for WooCommerce WordPress plugin before 1.0.2, Price Calculator for WooCommerce WordPress plugin through 1.0.3, Product Dynamic Pricing and Discounts WordPress plugin through 1.0.6, Product Labels and Stickers WordPress plugin through 1.0.1 have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions | |||||
| CVE-2023-3507 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack | |||||
| CVE-2023-3508 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks | |||||