Total
6243 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-43930 | 2024-11-01 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in eyecix JobSearch allows Cross Site Request Forgery.This issue affects JobSearch: from n/a through 2.5.3. | ||||
| CVE-2024-43933 | 2024-11-01 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in WPMobile.App allows Stored XSS.This issue affects WPMobile.App: from n/a through 11.48. | ||||
| CVE-2024-43984 | 1 Podlove | 1 Podlove Podcast Publisher | 2024-11-01 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13. | ||||
| CVE-2024-48311 | 1 Piwigo | 1 Piwigo | 2024-11-01 | 8.8 High |
| Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function. | ||||
| CVE-2024-49674 | 1 Lukas Huser | 1 Ekc Tournament Manager | 2024-11-01 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1. | ||||
| CVE-2024-49685 | 2024-11-01 | 5.4 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3. | ||||
| CVE-2024-9434 | 2024-11-01 | 6.1 Medium | ||
| The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the on__translate_options_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-27974 | 2024-10-31 | 6.3 Medium | ||
| Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator's ID, password, etc. may be altered. As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed under [References]. | ||||
| CVE-2022-30357 | 1 Ovaledge | 1 Ovaledge | 2024-10-31 | 9.8 Critical |
| OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required. | ||||
| CVE-2024-23734 | 2024-10-31 | 5.2 Medium | ||
| Cross Site Request Forgery vulnerability in in the upload functionality of the User Profile pages in savignano S/Notify before 2.0.1 for Bitbucket allow attackers to replace S/MIME certificate or PGP keys for arbitrary users via crafted link. | ||||
| CVE-2024-20421 | 1 Cisco | 4 Ata 191, Ata 191 Firmware, Ata 192 and 1 more | 2024-10-31 | 7.1 High |
| A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the targeted user. | ||||
| CVE-2024-20347 | 2024-10-31 | 4.3 Medium | ||
| A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a CSRF attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as deleting users from the device. | ||||
| CVE-2023-25708 | 1 Rextheme | 1 Wp Vr | 2024-10-31 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin <= 8.2.7 versions. | ||||
| CVE-2023-1414 | 1 Rextheme | 1 Wp Vr | 2024-10-31 | 4.3 Medium |
| The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours | ||||
| CVE-2023-6529 | 1 Rextheme | 1 Wp Vr | 2024-10-31 | 6.1 Medium |
| The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. | ||||
| CVE-2023-32761 | 1 Archerirm | 1 Archer | 2024-10-30 | 8.1 High |
| Cross Site Request Forgery (CSRF) vulnerability in Archer Platform before v.6.13 and fixed in v.6.12.0.6 and v.6.13.0 allows an authenticated attacker to execute arbitrary code via a crafted request. | ||||
| CVE-2023-38349 | 1 Pnp4nagios | 1 Pnp4nagios | 2024-10-30 | 8.8 High |
| PNP4Nagios through 81ebfc5 lacks CSRF protection in the AJAX controller. This affects 0.6.26. | ||||
| CVE-2024-45737 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-30 | 4.3 Medium |
| In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF). | ||||
| CVE-2023-22942 | 1 Splunk | 1 Splunk | 2024-10-30 | 5.4 Medium |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG KV store collections using an HTTP GET request. | ||||
| CVE-2024-26271 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2024-10-30 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. | ||||