Total
7682 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11419 | 2024-12-12 | N/A | 6.1 MEDIUM | ||
| The Password for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the get3_init_admin_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-11417 | 2024-12-12 | N/A | 6.1 MEDIUM | ||
| The dejure.org Vernetzungsfunktion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.97.5. This is due to missing or incorrect nonce validation on the djo_einstellungen_menue() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-12349 | 1 Jwillber | 1 Jfinalcms | 2024-12-11 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in JFinalCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/tag/save. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-28141 | 2024-12-11 | N/A | 6.3 MEDIUM | ||
| The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious links to reset the admin password or create new users. | |||||
| CVE-2024-55500 | 2024-12-11 | N/A | 8.8 HIGH | ||
| Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine. | |||||
| CVE-2024-39163 | 2024-12-11 | N/A | 8.8 HIGH | ||
| binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Flask endpoints. | |||||
| CVE-2020-20726 | 1 Gilacms | 1 Gila Cms | 2024-12-11 | N/A | 8.8 HIGH |
| Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter. | |||||
| CVE-2024-12004 | 2024-12-11 | N/A | 6.1 MEDIUM | ||
| The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-41776 | 1 Ibm | 1 Cognos Controller | 2024-12-11 | N/A | 6.5 MEDIUM |
| IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2024-8980 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 9.6 CRITICAL |
| The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. | |||||
| CVE-2024-26273 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter. | |||||
| CVE-2024-26271 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. | |||||
| CVE-2024-26272 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter. | |||||
| CVE-2020-20502 | 1 Yzmcms | 1 Yzmcms | 2024-12-10 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery found in yzCMS v.2.0 allows a remote attacker to execute arbitrary code via the token check function. | |||||
| CVE-2020-21252 | 1 Hongcms Project | 1 Hongcms | 2024-12-10 | N/A | 8.8 HIGH |
| Cross Site Request Forgery vulnerability in Neeke HongCMS 3.0.0 allows a remote attacker to execute arbitrary code and escalate privileges via the updateusers parameter. | |||||
| CVE-2020-21366 | 1 Njtech | 1 Greencms | 2024-12-10 | N/A | 8.0 HIGH |
| Cross Site Request Forgery vulnerability in GreenCMS v.2.3 allows an attacker to gain privileges via the adduser function of index.php. | |||||
| CVE-2020-28398 | 2024-12-10 | N/A | 8.8 HIGH | ||
| A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The CLI feature in the web interface of affected devices is vulnerable to cross-site request forgery (CSRF). This could allow an attacker to read or modify the device configuration by tricking an authenticated legitimate user into accessing a malicious link. | |||||
| CVE-2024-5428 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-12-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in SourceCodester Simple Online Bidding System 1.0. Affected by this vulnerability is the function save_product of the file /admin/index.php?page=manage_product of the component HTTP POST Request Handler. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-266383. | |||||
| CVE-2024-4929 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-12-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file /simple-online-bidding-system/admin/ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264465 was assigned to this vulnerability. | |||||
| CVE-2024-54226 | 2024-12-09 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Karl Kiesinger Country Blocker allows Stored XSS.This issue affects Country Blocker: from n/a through 3.2. | |||||