Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30528 | 2025-03-27 | N/A | 9.3 CRITICAL | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in wpshopee Awesome Logos allows SQL Injection. This issue affects Awesome Logos: from n/a through 1.2.
|
|||||
| CVE-2025-30572 | 2025-03-27 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Igor Yavych Simple Rating allows Stored XSS. This issue affects Simple Rating: from n/a through 1.4.
|
|||||
| CVE-2025-30538 | 2025-03-27 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in ChrisHurst Simple Optimizer allows Cross Site Request Forgery. This issue affects Simple Optimizer: from n/a through 1.2.7.
|
|||||
| CVE-2025-30557 | 2025-03-27 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in odihost Easy 301 Redirects allows Cross Site Request Forgery. This issue affects Easy 301 Redirects: from n/a through 1.33.
|
|||||
| CVE-2024-20986 | 1 Oracle | 1 Weblogic Server | 2025-03-27 | N/A | 6.1 MEDIUM |
|
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (sco ...
Show More |
|||||
| CVE-2023-51512 | 1 Woobewoo | 1 Product Table | 2025-03-27 | N/A | 4.3 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability in WBW Product Table by WBW.This issue affects Product Table by WBW: from n/a through 1.8.6.
|
|||||
| CVE-2023-20856 | 1 Vmware | 1 Vrealize Operations | 2025-03-27 | N/A | 8.8 HIGH |
|
VMware vRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the vROps platform on behalf of the authenticated victim user.
|
|||||
| CVE-2023-23750 | 1 Joomla | 1 Joomla\! | 2025-03-26 | N/A | 6.3 MEDIUM |
|
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
|
|||||
| CVE-2023-25015 | 2 Clockwork Web Project, Rubyonrails | 2 Clockwork Web, Rails | 2025-03-26 | N/A | 6.5 MEDIUM |
|
Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.
|
|||||
| CVE-2024-4382 | 1 Wielebenwir | 1 Commonsbooking | 2025-03-26 | N/A | 6.5 MEDIUM |
|
The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks
|
|||||
| CVE-2021-37234 | 1 Modern Honey Network Project | 1 Modern Honey Network | 2025-03-26 | N/A | 6.5 MEDIUM |
|
Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API.
|
|||||
| CVE-2021-36570 | 1 Thedaylightstudio | 1 Fuel Cms | 2025-03-26 | N/A | 8.8 HIGH |
|
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.
|
|||||
| CVE-2021-36569 | 1 Thedaylightstudio | 1 Fuel Cms | 2025-03-26 | N/A | 8.8 HIGH |
|
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.
|
|||||
| CVE-2021-36444 | 1 Txjia | 1 Imcat | 2025-03-26 | N/A | 8.8 HIGH |
|
Cross Site Request Forgery (CSRF) vulnerability in imcat 5.4 allows remote attackers to gain escalated privileges via flaws one time token generation on the add administrator page.
|
|||||
| CVE-2021-36443 | 1 Txjia | 1 Imcat | 2025-03-26 | N/A | 8.8 HIGH |
|
Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.
|
|||||
| CVE-2024-7806 | 1 Openwebui | 1 Open Webui | 2025-03-26 | N/A | 8.8 HIGH |
|
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.
|
|||||
| CVE-2024-8026 | 1 Qanything | 1 Qanything | 2025-03-26 | N/A | 8.1 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and managing knowledge bases.
|
|||||
| CVE-2024-20933 | 1 Oracle | 1 Installed Base | 2025-03-26 | N/A | 6.1 MEDIUM |
|
Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products ...
Show More |
|||||
| CVE-2022-47131 | 1 Creativeitem | 1 Academy Lms | 2025-03-26 | N/A | 4.8 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page.
|
|||||
| CVE-2022-47130 | 1 Creativeitem | 1 Academy Lms | 2025-03-26 | N/A | 4.3 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows a discount coupon to be arbitrarily created if an attacker with administrative privileges interacts on the CSRF page.
|
|||||
| CVE-2024-42616 | 1 Pligg | 1 Pligg Cms | 2025-03-26 | N/A | 8.8 HIGH |
|
Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/admin_widgets.php?action=remove&widget=Statistics
|
|||||
| CVE-2024-38276 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2025-03-26 | N/A | 8.8 HIGH |
|
Incorrect CSRF token checks resulted in multiple CSRF risks.
|
|||||
| CVE-2024-37118 | 1 Uncannyowl | 1 Uncanny Automator | 2025-03-26 | N/A | 5.4 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Automator Pro.This issue affects Uncanny Automator Pro: from n/a through 5.3.
|
|||||
| CVE-2025-1530 | 1 Tripetto | 1 Tripetto | 2025-03-25 | N/A | 4.3 MEDIUM |
|
The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-42584 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-03-25 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) in the component delete_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
|
|||||
| CVE-2024-45987 | 1 Online Voting System Project | 1 Online Voting System | 2025-03-25 | N/A | 6.5 MEDIUM |
|
Projectworld Online Voting System Version 1.0 is vulnerable to Cross Site Request Forgery (CSRF) via voter.php. This vulnerability allows an attacker to craft a malicious link that, when clicked by an authenticated user, automatically submits a vote for a specified party without the user's consent or knowledge. The attack leverages the user's active session to perform the unauthorized action, compromising the integrity of the voting process.
|
|||||
| CVE-2024-34008 | 1 Moodle | 1 Moodle | 2025-03-25 | N/A | 8.8 HIGH |
|
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
|
|||||
| CVE-2024-23094 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 8.8 HIGH |
|
Flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /cover/addons/info_media_gallery/action/edit_addon_post.php
|
|||||
| CVE-2024-26349 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 4.3 MEDIUM |
|
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_translation.php
|
|||||
| CVE-2024-26351 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 6.1 MEDIUM |
|
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_place.php
|
|||||
| CVE-2024-26352 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 8.8 HIGH |
|
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/add_places.php
|
|||||
| CVE-2024-26445 | 1 Flusity | 1 Flusity | 2025-03-25 | N/A | 6.1 MEDIUM |
|
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_place.php
|
|||||
| CVE-2024-45372 | 1 Planex | 2 Mzk-dp300n, Mzk-dp300n Firmware | 2025-03-25 | N/A | 6.5 MEDIUM |
|
MZK-DP300N firmware versions 1.04 and earlier contains a cross-site request forger vulnerability. Viewing a malicious page while logging in to the web management page of the affected product may lead the user to perform unintended operations such as changing the login password, etc.
|
|||||
| CVE-2024-3474 | 1 Wow-company | 1 Wow Skype Buttons | 2025-03-25 | N/A | 8.8 HIGH |
|
The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
|
|||||
| CVE-2025-24387 | 1 Otrs | 1 Otrs | 2025-03-24 | N/A | 4.8 MEDIUM |
|
A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive
cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
* OTRS 2025.x
|
|||||
| CVE-2024-2316 | 1 Bdtask | 1 Hospital Automanager | 2025-03-24 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in Bdtask Hospital AutoManager up to 20240227 and classified as problematic. This vulnerability affects unknown code of the file /billing/bill/edit/ of the component Update Bill Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not ...
Show More |
|||||
| CVE-2025-0807 | 2025-03-22 | N/A | 4.3 MEDIUM | ||
|
The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_settings_tab() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-13768 | 2025-03-22 | N/A | 4.3 MEDIUM | ||
|
The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_assign_fonts_tab() function. This makes it possible for unauthenticated attackers to delete font assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-4138 | 1 Gitlab | 1 Gitlab | 2025-03-21 | N/A | 6.4 MEDIUM |
|
A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project.
|
|||||
| CVE-2024-1719 | 1 Wpplugin | 1 Paypal \& Stripe Add-on | 2025-03-21 | N/A | 4.3 MEDIUM |
|
The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick ...
Show More |
|||||