Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54389 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Eduardo Chiaro addWeather allows Cross Site Request Forgery.This issue affects addWeather: from n/a through 2.5.1.
|
|||||
| CVE-2024-54388 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Phuc Pham Multiple Admin Emails allows Cross Site Request Forgery.This issue affects Multiple Admin Emails: from n/a through 1.0.
|
|||||
| CVE-2024-54386 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Get Push Monkey LLC Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart allows Cross Site Request Forgery.This issue affects Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart: from n/a through 3.9.
|
|||||
| CVE-2024-54372 | 2024-12-16 | N/A | 9.6 CRITICAL | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Insertify allows Code Injection.This issue affects Insertify: from n/a through 1.1.4.
|
|||||
| CVE-2024-54368 | 2024-12-16 | N/A | 9.6 CRITICAL | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garza, Jr. GitSync allows Code Injection.This issue affects GitSync: from n/a through 1.1.0.
|
|||||
| CVE-2024-54353 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in WPGear Hack-Info allows Stored XSS.This issue affects Hack-Info: from n/a through 3.17.
|
|||||
| CVE-2024-54352 | 2024-12-16 | N/A | 8.8 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Sabri Taieb Sogrid allows Privilege Escalation.This issue affects Sogrid: from n/a through 1.5.2.
|
|||||
| CVE-2024-54332 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory WP Currency Exchange Rates allows Stored XSS.This issue affects WP Currency Exchange Rates: from n/a through 1.2.0.
|
|||||
| CVE-2024-54331 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Micha I Plant A Tree allows Stored XSS.This issue affects I Plant A Tree: from n/a through 1.7.3.
|
|||||
| CVE-2024-37251 | 2024-12-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.This issue affects Advanced Custom Fields PRO: from n/a before 6.3.2.
|
|||||
| CVE-2023-7045 | 1 Gitlab | 1 Gitlab | 2024-12-16 | N/A | 5.4 MEDIUM |
|
A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
|
|||||
| CVE-2024-12646 | 2024-12-16 | N/A | 8.1 HIGH | ||
|
The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
|
|||||
| CVE-2024-12645 | 2024-12-16 | N/A | 6.5 MEDIUM | ||
|
The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system.
|
|||||
| CVE-2024-12644 | 2024-12-16 | N/A | 7.1 HIGH | ||
|
The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk ...
Show More |
|||||
| CVE-2024-12643 | 2024-12-16 | N/A | 8.1 HIGH | ||
|
The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
|
|||||
| CVE-2024-12555 | 2024-12-14 | N/A | 6.1 MEDIUM | ||
|
The SIP Calculator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-4597 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 5.7 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
|
|||||
| CVE-2024-54351 | 2024-12-13 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Tom Landis Fancy Roller Scroller allows Stored XSS.This issue affects Fancy Roller Scroller: from n/a through 1.4.0.
|
|||||
| CVE-2024-54337 | 2024-12-13 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in DevriX DX Dark Site allows Stored XSS.This issue affects DX Dark Site: from n/a through 1.0.1.
|
|||||
| CVE-2024-54321 | 2024-12-13 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Hive Support Hive Support – WordPress Help Desk allows Cross Site Request Forgery.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.2.
|
|||||
| CVE-2024-54307 | 2024-12-13 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in AIpost AIcomments allows Cross Site Request Forgery.This issue affects AIcomments: from n/a through 1.4.1.
|
|||||
| CVE-2024-54306 | 2024-12-13 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in KCT AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot allows Cross Site Request Forgery.This issue affects AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot: from n/a through 1.6.2.
|
|||||
| CVE-2024-54300 | 2024-12-13 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Neuralabz LTD. AutoWP allows Cross Site Request Forgery.This issue affects AutoWP: from n/a through 2.0.8.
|
|||||
| CVE-2024-54248 | 2024-12-13 | N/A | 8.8 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Michael DUMONTET eewee admin custom allows Privilege Escalation.This issue affects eewee admin custom: from n/a through 1.8.2.4.
|
|||||
| CVE-2023-41686 | 2024-12-13 | N/A | 6.5 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in ilGhera Woocommerce Support System allows Cross Site Request Forgery.This issue affects Woocommerce Support System: from n/a through 1.2.2.
|
|||||
| CVE-2024-12572 | 2024-12-13 | N/A | 6.1 MEDIUM | ||
|
The Hello In All Languages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2023-30759 | 1 Ricoh | 1 Printer Driver Packager Nx | 2024-12-12 | N/A | 7.8 HIGH |
|
The driver installation package created by Printer Driver Packager NX v1.0.02 to v1.1.25 fails to detect its modification and may spawn an unexpected process with the administrative privilege. If a non-administrative user modifies the driver installation package and runs it on the target PC, an arbitrary program may be executed with the administrative privilege.
|
|||||
| CVE-2024-11689 | 2024-12-12 | N/A | 8.8 HIGH | ||
|
The HQ Rental Software plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.29. This is due to missing or incorrect nonce validation on the displaySettingsPage() function. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-11419 | 2024-12-12 | N/A | 6.1 MEDIUM | ||
|
The Password for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the get3_init_admin_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-11417 | 2024-12-12 | N/A | 6.1 MEDIUM | ||
|
The dejure.org Vernetzungsfunktion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.97.5. This is due to missing or incorrect nonce validation on the djo_einstellungen_menue() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-12349 | 1 Jwillber | 1 Jfinalcms | 2024-12-11 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in JFinalCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/tag/save. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-55500 | 2024-12-11 | N/A | 8.8 HIGH | ||
|
Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine.
|
|||||
| CVE-2024-39163 | 2024-12-11 | N/A | 8.8 HIGH | ||
|
binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Flask endpoints.
|
|||||
| CVE-2020-20726 | 1 Gilacms | 1 Gila Cms | 2024-12-11 | N/A | 8.8 HIGH |
|
Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter.
|
|||||
| CVE-2024-12004 | 2024-12-11 | N/A | 6.1 MEDIUM | ||
|
The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-41776 | 1 Ibm | 1 Cognos Controller | 2024-12-11 | N/A | 6.5 MEDIUM |
|
IBM Cognos Controller 11.0.0 and 11.0.1
is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
|
|||||
| CVE-2024-8980 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 9.6 CRITICAL |
|
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173
does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability.
|
|||||
| CVE-2024-26273 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCa ...
Show More |
|||||
| CVE-2024-26271 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_ ...
Show More |
|||||
| CVE-2024-26272 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter.
|
|||||