Total
5841 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-40603 | 1 Mediawiki | 1 Mediawiki | 2024-07-09 | N/A | 4.3 MEDIUM |
| An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request. | |||||
| CVE-2024-5767 | 1 Sitetweet Project | 1 Sitetweet | 2024-07-09 | N/A | 8.8 HIGH |
| The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-39023 | 2024-07-09 | N/A | 8.8 HIGH | ||
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/info_deal.php?mudi=add&nohrefStr=close | |||||
| CVE-2024-39020 | 2024-07-09 | N/A | 6.3 MEDIUM | ||
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/vpsApiData_deal.php?mudi=rev&nohrefStr=close | |||||
| CVE-2024-39019 | 2024-07-09 | N/A | 5.4 MEDIUM | ||
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/idcProData_deal.php?mudi=del | |||||
| CVE-2024-27717 | 2024-07-08 | N/A | 6.5 MEDIUM | ||
| Cross Site Request Forgery vulnerability in Eskooly Free Online School Management Software v.3.0 and before allows a remote attacker to escalate privileges via the Token Handling component. | |||||
| CVE-2024-5616 | 2024-07-08 | N/A | 4.3 MEDIUM | ||
| A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality. | |||||
| CVE-2024-4969 | 1 Devnath Verma | 1 Widget Bundle | 2024-07-08 | N/A | 4.3 MEDIUM |
| The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack | |||||
| CVE-2024-39154 | 2024-07-08 | N/A | 8.8 HIGH | ||
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/keyWord_deal.php?mudi=del&dataType=word&dataTypeCN. | |||||
| CVE-2024-2376 | 1 2code | 1 Wpqa Builder | 2024-07-08 | N/A | 8.8 HIGH |
| The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-2235 | 1 2code | 1 Himer | 2024-07-08 | N/A | 4.3 MEDIUM |
| The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack | |||||
| CVE-2024-2233 | 1 2code | 1 Himer | 2024-07-08 | N/A | 4.3 MEDIUM |
| The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group | |||||
| CVE-2024-2040 | 1 2code | 1 Himer | 2024-07-08 | N/A | 4.3 MEDIUM |
| The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack | |||||
| CVE-2023-28696 | 1 Themeist | 1 I Recommend This | 2024-07-08 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Harish Chouhan, Themeist I Recommend This allows Cross Site Request Forgery.This issue affects I Recommend This: from n/a through 3.9.0. | |||||
| CVE-2024-23519 | 2024-07-08 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in M&S Consulting Email Before Download.This issue affects Email Before Download: from n/a through 6.9.7. | |||||
| CVE-2023-26531 | 1 Wbolt | 1 All-in-one Search Automatic Push Management | 2024-07-08 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in 闪电博 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条 allows Cross Site Request Forgery.This issue affects 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条: from n/a through 4.2.7. | |||||
| CVE-2024-5943 | 1 Kylephillips | 1 Nested Pages | 2024-07-05 | N/A | 8.8 HIGH |
| The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-4543 | 1 Yeken | 1 Snippet Shortcodes | 2024-07-03 | N/A | 4.3 MEDIUM |
| The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-39326 | 2024-07-03 | N/A | 4.4 MEDIUM | ||
| SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue. | |||||
| CVE-2024-3477 | 2024-07-03 | N/A | N/A | ||
| The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks | |||||