Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-47182 | 1 Nazmulhossainnihal | 1 Login Screen Manager | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) leading to a Stored Cross-Site Scripting (XSS) vulnerability in Nazmul Hossain Nihal Login Screen Manager plugin <= 3.5.2 versions. | |||||
| CVE-2021-43137 | 1 Phpgurukul | 1 Hostel Management System | 2023-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover. | |||||
| CVE-2023-46781 | 1 Rolandmurg | 1 Current Menu Item For Custom Post Types | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Roland Murg Current Menu Item for Custom Post Types plugin <= 1.5 versions. | |||||
| CVE-2023-47186 | 1 Kadencewp | 1 Kadence Woocommerce Email Designer | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Kadence WP Kadence WooCommerce Email Designer plugin <= 1.5.11 versions. | |||||
| CVE-2023-46776 | 1 Josie | 1 Auto Excerpt Everywhere | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Serena Villa Auto Excerpt everywhere plugin <= 1.5 versions. | |||||
| CVE-2023-46779 | 1 Easyrecipe Project | 1 Easyrecipe | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in EasyRecipe plugin <= 3.5.3251 versions. | |||||
| CVE-2023-46780 | 1 Altersoftware | 1 Alter | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Alter plugin <= 1.0 versions. | |||||
| CVE-2023-46778 | 1 Thefreewindows | 1 Auto Limit Posts Reloaded | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in TheFreeWindows Auto Limit Posts Reloaded plugin <= 2.5 versions. | |||||
| CVE-2023-5823 | 1 Themekraft | 1 Tk Google Fonts Gdpr Compliant | 2023-11-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <= 2.2.11 versions. | |||||
| CVE-2023-5945 | 1 I13websolution | 1 Video Carousel Slider With Lightbox | 2023-11-13 | N/A | 5.4 MEDIUM |
| The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsive_video_gallery_with_lightbox_video_management_func() function. This makes it possible for unauthenticated attackers to delete videos hosted from the video slider via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-5902 | 1 Sfu | 1 Pkp Web Application Library | 2023-11-13 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2022-29450 | 1 Admin Management Xtended Project | 1 Admin Management Xtended | 2023-11-09 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress. | |||||
| CVE-2023-42027 | 4 Hp, Ibm, Linux and 1 more | 6 Hp-ux, Aix, Cics Tx and 3 more | 2023-11-09 | N/A | 8.8 HIGH |
| IBM CICS TX Standard 11.1, Advanced 10.1, 11.1, and TXSeries for Multiplatforms 8.1, 8.2, 9.1 are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 266057. | |||||
| CVE-2019-9062 | 1 Phpscriptsmall | 1 Online Food Ordering Script | 2023-11-09 | 6.0 MEDIUM | 8.0 HIGH |
| PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php. | |||||
| CVE-2023-23473 | 1 Ibm | 1 Infosphere Information Server | 2023-08-29 | N/A | 8.8 HIGH |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 245400. | |||||
| CVE-2023-3366 | 1 Multiparcels | 1 Multiparcels Shipping For Woocommerce | 2023-08-24 | N/A | 4.3 MEDIUM |
| The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.2 does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack | |||||
| CVE-2023-4301 | 1 Jenkins | 1 Fortify | 2023-08-24 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2023-4454 | 1 Wallabag | 1 Wallabag | 2023-08-24 | N/A | 5.7 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | |||||
| CVE-2023-4455 | 1 Wallabag | 1 Wallabag | 2023-08-24 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | |||||
| CVE-2023-39061 | 1 Chamilo | 1 Chamilo | 2023-08-24 | N/A | 3.5 LOW |
| Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code. | |||||
| CVE-2023-27520 | 1 Epson | 240 Esifnw1, Esifnw1 Firmware, Esnsb1 and 237 more | 2023-08-24 | N/A | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor. | |||||
| CVE-2023-40572 | 2023-08-24 | N/A | N/A | ||
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation. | |||||
| CVE-2023-40172 | 1 Fobybus | 1 Social-media-skeleton | 2023-08-23 | N/A | 8.8 HIGH |
| Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website. Prior to version 1.0.5 Social media skeleton did not properly restrict CSRF attacks. This has been addressed in version 1.0.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-31218 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2023-08-23 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions. | |||||
| CVE-2023-40351 | 1 Jenkins | 1 Favorite View | 2023-08-22 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar. | |||||
| CVE-2023-31452 | 1 Paessler | 1 Prtg Network Monitor | 2023-08-22 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | |||||
| CVE-2023-40337 | 1 Jenkins | 1 Folders | 2023-08-22 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder. | |||||
| CVE-2023-40336 | 1 Jenkins | 1 Folders | 2023-08-22 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders. | |||||
| CVE-2023-0058 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2023-0551 | 1 Minapper | 1 Rest Api To Miniprogram | 2023-08-22 | N/A | 5.4 MEDIUM |
| The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments | |||||
| CVE-2023-2271 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 4.3 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack | |||||
| CVE-2023-40341 | 1 Jenkins | 1 Blue Ocean | 2023-08-18 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. | |||||
| CVE-2020-24922 | 1 Xuxueli | 1 Xxl-job | 2023-08-17 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file. | |||||
| CVE-2020-23595 | 1 Yzmcms | 1 Yzmcms | 2023-08-17 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in yzmcms version 5.6, allows remote attackers to escalate privileges and gain sensitive information sitemodel/add.html endpoint. | |||||
| CVE-2023-2330 | 1 Gsheetconnector | 1 Caldera Forms Google Sheets Connector | 2023-08-16 | N/A | 8.8 HIGH |
| The Caldera Forms Google Sheets Connector WordPress plugin before 1.3 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack | |||||
| CVE-2023-4277 | 1 Pragmaticmates | 1 Realia | 2023-08-15 | N/A | 6.5 MEDIUM |
| The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4276 | 1 Johnkolbert | 1 Absolute Privacy | 2023-08-15 | N/A | 8.8 HIGH |
| The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abpr_profileShortcode' function. This makes it possible for unauthenticated attackers to change user email and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2019-1713 | 1 Cisco | 13 Adaptive Security Appliance Software, Asa 5505, Asa 5510 and 10 more | 2023-08-15 | 9.3 HIGH | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration of, extract information from, or reload an affected device. | |||||
| CVE-2023-38999 | 1 Opnsense | 1 Opnsense | 2023-08-15 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense before 23.7 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | |||||
| CVE-2023-38348 | 1 Lw-systems | 1 Benno Mailarchiv | 2023-08-11 | N/A | 8.8 HIGH |
| A CSRF issue was discovered in LWsystems Benno MailArchiv 2.10.1. | |||||
| CVE-2023-38759 | 1 Wger | 1 Workout Manager | 2023-08-11 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/reset_user_password.html, templates/user/overview.html, core/views/user.py, and templates/user/preferences.html, core/forms.py components. | |||||
| CVE-2023-3492 | 1 Cmscommander | 1 Wp Shopping Pages | 2023-08-09 | N/A | 6.8 MEDIUM |
| The WP Shopping Pages WordPress plugin through 1.14 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2020-36736 | 1 Cartflows | 1 Cartflows | 2023-08-09 | N/A | 4.3 MEDIUM |
| The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. This is due to missing or incorrect nonce validation on the export_json, import_json, and status_logs_file functions. This makes it possible for unauthenticated attackers to import/export settings and trigger logs showing via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2021-27885 | 1 E107 | 1 E107 | 2023-08-08 | 6.8 MEDIUM | 8.8 HIGH |
| usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. | |||||
| CVE-2021-37234 | 1 Modern Honey Network Project | 1 Modern Honey Network | 2023-08-08 | N/A | 6.5 MEDIUM |
| Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API. | |||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2023-08-08 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
| CVE-2021-25326 | 1 Skyworthdigital | 2 Rn510, Rn510 Firmware | 2023-08-08 | 3.5 LOW | 5.4 MEDIUM |
| Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web UI password may be disclosed. | |||||
| CVE-2023-2329 | 1 Gsheetconnector | 1 Woocommerce Google Sheet Connector | 2023-08-08 | N/A | 8.8 HIGH |
| The WooCommerce Google Sheet Connector WordPress plugin before 1.3.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack | |||||
| CVE-2023-32625 | 1 Sakura | 1 Ts Webfonts | 2023-08-07 | N/A | 4.3 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in TS Webfonts for SAKURA 3.1.2 and earlier allows a remote unauthenticated attacker to hijack the authentication of a user and to change settings by having a user view a malicious page. | |||||
| CVE-2020-21881 | 1 Duxcms Project | 1 Duxcms | 2023-08-04 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in admin.php in DuxCMS 2.1 allows remote attackers to modtify application data via article/admin/content/add. | |||||