Total
5841 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-49148 | 1 Affiliatebooster | 1 Affiliate Booster | 2024-02-15 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in Kulwant Nagi Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates.This issue affects Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates: from n/a through 3.0.5. | |||||
CVE-2023-47020 | 1 Ncratleos | 1 Terminal Handler | 2024-02-15 | N/A | 8.8 HIGH |
Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the user to an administrator group. This is exploited by an undisclosed function in the WSDL that lacks security controls and can accept custom content types. | |||||
CVE-2024-24706 | 1 Forumone | 1 Wp-cfm | 2024-02-15 | N/A | 4.3 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in Forum One WP-CFM wp-cfm.This issue affects WP-CFM: from n/a through 1.7.8. | |||||
CVE-2024-0511 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-02-15 | N/A | 4.3 MEDIUM |
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2015-9284 | 1 Omniauth | 1 Omniauth | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account. | |||||
CVE-2020-26522 | 1 Garfield Petshop Project | 1 Garfield Petshop | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts. | |||||
CVE-2008-3421 | 1 Blackboard | 1 Blackboard Academic Suite | 2024-02-14 | 4.3 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in Blackboard Academic Suite 8.0.260.7 allow remote attackers to hijack the authentication of student users for requests that change configuration and enrollments via unspecified input to (1) update_module.jsp, (2) enroll_course.pl, and (3) unenroll.jsp. | |||||
CVE-2019-9958 | 1 Quadbase | 1 Espressreport Enterprise Server | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin's session to process their requests. | |||||
CVE-2018-16431 | 1 Yfcmf | 1 Yfcmf | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account. | |||||
CVE-2008-5583 | 1 Projectpier | 1 Projectpier | 2024-02-14 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in index.php in ProjectPier 0.8 and earlier allows remote attackers to perform actions as an administrator via the query string, as demonstrated by a delete project action. | |||||
CVE-2018-15569 | 1 Mylittleforum | 1 My Little Forum | 2024-02-14 | 4.3 MEDIUM | 6.5 MEDIUM |
my little forum 2.4.12 allows CSRF for deletion of users. | |||||
CVE-2020-36140 | 1 Bloofox | 1 Bloofoxcms | 2024-02-14 | 4.3 MEDIUM | 6.5 MEDIUM |
BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely). | |||||
CVE-2008-5400 | 1 Mvnforum | 1 Mvnforum | 2024-02-14 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in mvnForum before 1.2.1 GA allow remote attackers to (1) create forums, (2) change account privileges, (3) enable accounts, or (4) disable accounts as a product administrator via unspecified vectors, possibly related to HTTP Referer headers. | |||||
CVE-2018-10267 | 1 Wtcms Project | 1 Wtcms | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI. | |||||
CVE-2020-22761 | 1 Flatpress | 1 Flatpress | 2024-02-14 | 6.8 MEDIUM | 8.8 HIGH |
Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php. | |||||
CVE-2020-15046 | 1 Supermicro | 3 X10drh-it, X10drh-it Bios, X10drh-it Firmware | 2024-02-14 | 9.3 HIGH | 8.8 HIGH |
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88. | |||||
CVE-2007-1520 | 1 Phpnuke | 1 Php-nuke | 2024-02-14 | 6.8 MEDIUM | N/A |
The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. | |||||
CVE-2023-38579 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-02-13 | N/A | 8.8 HIGH |
The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to carry out an action unintentionally. | |||||
CVE-2024-0859 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2024-02-13 | N/A | 4.3 MEDIUM |
The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-0790 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2024-02-13 | N/A | 4.3 MEDIUM |
The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request. |