Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26522 | 1 Garfield Petshop Project | 1 Garfield Petshop | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts. | |||||
| CVE-2019-9958 | 1 Quadbase | 1 Espressreport Enterprise Server | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin's session to process their requests. | |||||
| CVE-2020-36140 | 1 Bloofox | 1 Bloofoxcms | 2024-02-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely). | |||||
| CVE-2007-1520 | 1 Phpnuke | 1 Php-nuke | 2024-02-14 | 6.8 MEDIUM | N/A |
| The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. | |||||
| CVE-2008-3421 | 1 Blackboard | 1 Blackboard Academic Suite | 2024-02-14 | 4.3 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Blackboard Academic Suite 8.0.260.7 allow remote attackers to hijack the authentication of student users for requests that change configuration and enrollments via unspecified input to (1) update_module.jsp, (2) enroll_course.pl, and (3) unenroll.jsp. | |||||
| CVE-2018-10267 | 1 Wtcms Project | 1 Wtcms | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI. | |||||
| CVE-2018-15569 | 1 Mylittleforum | 1 My Little Forum | 2024-02-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| my little forum 2.4.12 allows CSRF for deletion of users. | |||||
| CVE-2008-5583 | 1 Projectpier | 1 Projectpier | 2024-02-14 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in index.php in ProjectPier 0.8 and earlier allows remote attackers to perform actions as an administrator via the query string, as demonstrated by a delete project action. | |||||
| CVE-2020-22761 | 1 Flatpress | 1 Flatpress | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php. | |||||
| CVE-2018-16431 | 1 Yfcmf | 1 Yfcmf | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account. | |||||
| CVE-2008-5400 | 1 Mvnforum | 1 Mvnforum | 2024-02-14 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in mvnForum before 1.2.1 GA allow remote attackers to (1) create forums, (2) change account privileges, (3) enable accounts, or (4) disable accounts as a product administrator via unspecified vectors, possibly related to HTTP Referer headers. | |||||
| CVE-2020-15046 | 1 Supermicro | 3 X10drh-it, X10drh-it Bios, X10drh-it Firmware | 2024-02-14 | 9.3 HIGH | 8.8 HIGH |
| The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88. | |||||
| CVE-2023-38579 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-02-13 | N/A | 8.8 HIGH |
| The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to carry out an action unintentionally. | |||||
| CVE-2024-0859 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2024-02-13 | N/A | 4.3 MEDIUM |
| The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0790 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2024-02-13 | N/A | 4.3 MEDIUM |
| The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request. | |||||
| CVE-2024-0796 | 1 Pluginus | 1 Woot | 2024-02-13 | N/A | 4.3 MEDIUM |
| The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6.1. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0428 | 1 Kobzarev | 1 Index Now | 2024-02-13 | N/A | 8.8 HIGH |
| The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0660 | 1 Strategy11 | 1 Formidable Forms | 2024-02-13 | N/A | 4.3 MEDIUM |
| The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-22290 | 1 Custom Dashboard Widgets Project | 1 Custom Dashboard Widgets | 2024-02-13 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1. | |||||
| CVE-2021-32677 | 2 Fedoraproject, Tiangolo | 2 Fedora, Fastapi | 2024-02-12 | 5.8 MEDIUM | 8.1 HIGH |
| FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround. | |||||