Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10726 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-11416 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-7226 | 1 Oretnom23 | 1 Medicine Tracker System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password Change Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-272806 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-7169 | 1 Oretnom23 | 1 School Fees Payment System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272583.
|
|||||
| CVE-2024-7161 | 1 Seacms | 1 Seacms | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272575.
|
|||||
| CVE-2024-7106 | 1 Denkgroot | 1 Spina | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-7065 | 1 Denkgroot | 1 Spina | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272346 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-6751 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-11-21 | N/A | 6.3 MEDIUM |
|
The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.
|
|||||
| CVE-2024-6649 | 1 Oretnom23 | 1 Employee And Visitor Gate Pass Logging System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is the function save_users of the file Users.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271057 was assigned to this vulnerability.
|
|||||
| CVE-2024-6405 | 1 Varniinfotech | 1 Floating Social Buttons | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-6271 | 1 Community Events Project | 1 Community Events | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack
|
|||||
| CVE-2024-6075 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-11-21 | N/A | 8.8 HIGH |
|
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2024-6023 | 1 Adamsolymosi | 1 Contentlock | 2024-11-21 | N/A | 8.8 HIGH |
|
The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack
|
|||||
| CVE-2024-6022 | 1 Adamsolymosi | 1 Contentlock | 2024-11-21 | N/A | 8.8 HIGH |
|
The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2024-5943 | 1 Kylephillips | 1 Nested Pages | 2024-11-21 | N/A | 8.8 HIGH |
|
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-5815 | 1 Github | 1 Enterprise Server | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.
...
Show More |
|||||
| CVE-2024-5804 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-5786 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
|
Cross-Site Request Forgery vulnerability in Comtrend router WLD71-T1_v2.0.201820, affecting the GRG-4280us version. This vulnerability allows an attacker to force an end user to execute unwanted actions in a web application to which he is authenticated.
|
|||||
| CVE-2024-5767 | 1 Sitetweet Project | 1 Sitetweet | 2024-11-21 | N/A | 8.8 HIGH |
|
The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2024-5676 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
|
The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system.
|
|||||
| CVE-2024-5551 | 1 Wp-staging | 1 Wp Staging | 2024-11-21 | N/A | 7.5 HIGH |
|
The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup Duplicator & Migration plugin. This makes it possible for unauthenticated attackers to include any local files that end in '-settings.php' via a forged request granted they can trick a site administrator into pe ...
Show More |
|||||
| CVE-2024-5185 | 2024-11-21 | N/A | 7.3 HIGH | ||
|
The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging thi ...
Show More |
|||||
| CVE-2024-4969 | 1 Devnath Verma | 1 Widget Bundle | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack
|
|||||
| CVE-2024-4689 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.3.
|
|||||
| CVE-2024-4600 | 2024-11-21 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery vulnerability in Socomec Net Vision, version 7.20. This vulnerability could allow an attacker to trick registered users into performing critical actions, such as adding and updating accounts, due to lack of proper sanitisation of the ‘set_param.cgi’ file.
|
|||||
| CVE-2024-4543 | 1 Yeken | 1 Snippet Shortcodes | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-4499 | 1 Lollms | 1 Lollms | 2024-11-21 | N/A | 6.3 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files ...
Show More |
|||||
| CVE-2024-4475 | 1 Onetarek | 1 Wp Logs Book | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack
|
|||||
| CVE-2024-4474 | 1 Onetarek | 1 Wp Logs Book | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2024-4328 | 1 Parisneo | 1 Lollms Web Ui | 2024-11-21 | N/A | 8.1 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such as deleting important files on the system. The issue is present in the application's handling of requests, making it susceptible to CSRF attacks ...
Show More |
|||||
| CVE-2024-45693 | 1 Apache | 1 Cloudstack | 2024-11-21 | N/A | 8.0 HIGH |
|
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.
This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2 ...
Show More |
|||||
| CVE-2024-41305 | 1 Wondercms | 1 Wondercms | 2024-11-21 | N/A | 4.7 MEDIUM |
|
A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
|
|||||
| CVE-2024-40601 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.
|
|||||
| CVE-2024-40334 | 1 Idccms | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
|
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/serverFile_deal.php?mudi=upFileDel&dataID=3
|
|||||
| CVE-2024-40332 | 1 Idccms | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
|
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/moneyRecord_deal.php?mudi=delRecord
|
|||||
| CVE-2024-40119 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.
|
|||||
| CVE-2024-40037 | 1 Idccms Project | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
|
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userScore_deal.php?mudi=del
|
|||||
| CVE-2024-40034 | 1 Idccms Project | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
|
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userLevel_deal.php?mudi=del
|
|||||
| CVE-2024-3972 | 1 Davidjmiller | 1 Similarity | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2024-3873 | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in SMI SMI-EX-5414W up to 1.0.03. It has been classified as problematic. This affects an unknown part of the component Web Interface. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260907.
|
|||||