Vulnerabilities (CVE)

Filtered by CWE-352
Total 5841 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-49148 1 Affiliatebooster 1 Affiliate Booster 2024-02-15 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in Kulwant Nagi Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates.This issue affects Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates: from n/a through 3.0.5.
CVE-2023-47020 1 Ncratleos 1 Terminal Handler 2024-02-15 N/A 8.8 HIGH
Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the user to an administrator group. This is exploited by an undisclosed function in the WSDL that lacks security controls and can accept custom content types.
CVE-2024-24706 1 Forumone 1 Wp-cfm 2024-02-15 N/A 4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in Forum One WP-CFM wp-cfm.This issue affects WP-CFM: from n/a through 1.7.8.
CVE-2024-0511 1 Royal-elementor-addons 1 Royal Elementor Addons 2024-02-15 N/A 4.3 MEDIUM
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2015-9284 1 Omniauth 1 Omniauth 2024-02-14 6.8 MEDIUM 8.8 HIGH
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
CVE-2020-26522 1 Garfield Petshop Project 1 Garfield Petshop 2024-02-14 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.
CVE-2008-3421 1 Blackboard 1 Blackboard Academic Suite 2024-02-14 4.3 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Blackboard Academic Suite 8.0.260.7 allow remote attackers to hijack the authentication of student users for requests that change configuration and enrollments via unspecified input to (1) update_module.jsp, (2) enroll_course.pl, and (3) unenroll.jsp.
CVE-2019-9958 1 Quadbase 1 Espressreport Enterprise Server 2024-02-14 6.8 MEDIUM 8.8 HIGH
CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin's session to process their requests.
CVE-2018-16431 1 Yfcmf 1 Yfcmf 2024-02-14 6.8 MEDIUM 8.8 HIGH
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.
CVE-2008-5583 1 Projectpier 1 Projectpier 2024-02-14 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in index.php in ProjectPier 0.8 and earlier allows remote attackers to perform actions as an administrator via the query string, as demonstrated by a delete project action.
CVE-2018-15569 1 Mylittleforum 1 My Little Forum 2024-02-14 4.3 MEDIUM 6.5 MEDIUM
my little forum 2.4.12 allows CSRF for deletion of users.
CVE-2020-36140 1 Bloofox 1 Bloofoxcms 2024-02-14 4.3 MEDIUM 6.5 MEDIUM
BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely).
CVE-2008-5400 1 Mvnforum 1 Mvnforum 2024-02-14 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in mvnForum before 1.2.1 GA allow remote attackers to (1) create forums, (2) change account privileges, (3) enable accounts, or (4) disable accounts as a product administrator via unspecified vectors, possibly related to HTTP Referer headers.
CVE-2018-10267 1 Wtcms Project 1 Wtcms 2024-02-14 6.8 MEDIUM 8.8 HIGH
WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI.
CVE-2020-22761 1 Flatpress 1 Flatpress 2024-02-14 6.8 MEDIUM 8.8 HIGH
Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php.
CVE-2020-15046 1 Supermicro 3 X10drh-it, X10drh-it Bios, X10drh-it Firmware 2024-02-14 9.3 HIGH 8.8 HIGH
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88.
CVE-2007-1520 1 Phpnuke 1 Php-nuke 2024-02-14 6.8 MEDIUM N/A
The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.
CVE-2023-38579 1 Westermo 2 L206-f2g, L206-f2g Firmware 2024-02-13 N/A 8.8 HIGH
The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to carry out an action unintentionally.
CVE-2024-0859 1 Wpaffiliatemanager 1 Affiliates Manager 2024-02-13 N/A 4.3 MEDIUM
The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-0790 1 Pluginus 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional 2024-02-13 N/A 4.3 MEDIUM
The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request.