Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17103 | 1 Get-simple | 1 Getsimple Cms | 2024-08-05 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter | |||||
| CVE-2018-8811 | 1 Alkacon | 1 Opencms | 2024-08-05 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows only registered users to upload different kind of content artifacts (SVG, .doc, .docx). The uploaded content is stored in the CMS content repository "as is". In case of scripts inside an SVG, this may or may not be "malicious", there is no way of knowing if the uploaded SVG contains the script for a reason. To exploit the "issue", a user must have an account in the CMS as a content manager | |||||
| CVE-2019-17590 | 1 Csrf Magic Project | 1 Csrf Magic | 2024-08-05 | 6.8 MEDIUM | 8.8 HIGH |
| The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. A remote attacker can exploit this by crafting a malicious page and dispersing it to a victim via social engineering, enticing them to click the link. Once the user/victim clicks the "try again" button, the attacker can take over the account and perform unintended actions on the victim's behalf. NOTE: A third-party maintainer has stated that this CVE is a false report. They state that the csrf_callback function is actually a callback function to the callers own handler for output. The function called can be changed via configuration to a custom callback to handle failed validation differently. They also stated that there is no way for an attacker to change tokens to make them valid from the client side. The only thing an attack can do is to pull the token out of the javascript, but that will always be possible and has nothing to do with the callback | |||||
| CVE-2019-12273 | 1 Outsystems | 1 Outsystems | 2024-08-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. NOTE: The product is self-hosted by the customer, even though it has a *.outsystemsenterprise.com domain name.) NOTE: The vendor claims that the independent researcher created the report without any type of validation and that no such vulnerability exists | |||||
| CVE-2020-36625 | 1 Destiny | 1 Chat | 2024-08-04 | N/A | 8.8 HIGH |
| A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35722 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-08-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2021-45007 | 1 Plesk | 1 Plesk | 2024-08-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users | |||||
| CVE-2021-45268 | 1 Backdropcms | 1 Backdrop | 2024-08-04 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons | |||||
| CVE-2022-47559 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-08-03 | N/A | 8.8 HIGH |
| Lack of device control over web requests in ekorCCP and ekorRCI, allowing an attacker to create customised requests to execute malicious actions when a user is logged in, affecting availability, privacy and integrity. | |||||
| CVE-2024-6023 | 1 Adamsolymosi | 1 Contentlock | 2024-08-02 | N/A | 8.8 HIGH |
| The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2024-6022 | 1 Adamsolymosi | 1 Contentlock | 2024-08-02 | N/A | 8.8 HIGH |
| The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2023-39446 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-08-02 | N/A | 8.8 HIGH |
| Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application. | |||||
| CVE-2024-38776 | 2024-08-02 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Martin Gibson WP GoToWebinar allows Cross-Site Scripting (XSS).This issue affects WP GoToWebinar: from n/a through 15.7. | |||||
| CVE-2023-4837 | 1 Smod | 1 Smodbip | 2024-08-02 | N/A | 8.8 HIGH |
| SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. This issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed. | |||||
| CVE-2024-6075 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-08-01 | N/A | 8.8 HIGH |
| The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-6271 | 1 Community Events Project | 1 Community Events | 2024-08-01 | N/A | 5.4 MEDIUM |
| The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack | |||||
| CVE-2024-40332 | 1 Idccms | 1 Idccms | 2024-08-01 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/moneyRecord_deal.php?mudi=delRecord | |||||
| CVE-2024-40034 | 1 Idccms Project | 1 Idccms | 2024-08-01 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userLevel_deal.php?mudi=del | |||||
| CVE-2024-3972 | 1 Davidjmiller | 1 Similarity | 2024-08-01 | N/A | 4.3 MEDIUM |
| The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-40037 | 1 Idccms Project | 1 Idccms | 2024-08-01 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userScore_deal.php?mudi=del | |||||