Total
6243 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-26272 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2024-10-30 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter. | ||||
| CVE-2024-26273 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2024-10-30 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter. | ||||
| CVE-2024-8980 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2024-10-30 | 9.6 Critical |
| The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently protect against Cross-Site Request Forgery (CSRF) attacks, which allows remote attackers to execute arbitrary Groovy script via a crafted URL or a XSS vulnerability. | ||||
| CVE-2023-3627 | 1 Salesagility | 1 Suitecrm | 2024-10-30 | 8.8 High |
| Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1. | ||||
| CVE-2024-48191 | 1 Dingfangzu | 1 Dingfangzu | 2024-10-29 | 6.3 Medium |
| dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=delAdmin&id=17 | ||||
| CVE-2024-48291 | 1 Dingfangzu | 1 Dingfangzu | 2024-10-29 | 6.3 Medium |
| dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/doAdminAction.php?act=editAdmin&id=17 | ||||
| CVE-2023-52123 | 1 Wpchill | 1 Strong Testimonials | 2024-10-29 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in WPChill Strong Testimonials.This issue affects Strong Testimonials: from n/a through 3.1.10. | ||||
| CVE-2024-6720 | 1 Dmytropopov | 1 Light Poll | 2024-10-28 | 6.1 Medium |
| The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | ||||
| CVE-2024-3059 | 1 Enl Newsletter Plugin Project | 1 Enl-newsletter | 2024-10-28 | 5.7 Medium |
| The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary Campaigns via a CSRF attack | ||||
| CVE-2023-20011 | 1 Cisco | 2 Application Policy Infrastructure Controller, Cloud Network Controller | 2024-10-28 | 8.8 High |
| A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts. | ||||
| CVE-2023-20113 | 1 Cisco | 1 Sd-wan | 2024-10-28 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts. | ||||
| CVE-2023-26248 | 1 Kademila | 1 Dht | 2024-10-28 | 5.3 Medium |
| The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content by generating many Sybil peers whose peer IDs have a small distance from the content ID, thus hijacking the content resolution process. | ||||
| CVE-2021-4389 | 1 Wensolutions | 1 Wp Travel | 2024-10-28 | 4.3 Medium |
| The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2020-36740 | 1 Radio Buttons For Taxonomies Project | 1 Radio Buttons For Taxonomies | 2024-10-28 | 4.3 Medium |
| The Radio Buttons for Taxonomies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the save_single_term() function. This makes it possible for unauthenticated attackers to save terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2019-15660 | 1 Butlerblog | 1 Wp-members | 2024-10-28 | N/A |
| The wp-members plugin before 3.2.8 for WordPress has CSRF. | ||||
| CVE-2023-7202 | 2024-10-28 | 6.1 Medium | ||
| The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF | ||||
| CVE-2023-6501 | 1 Cochinoman | 1 Splashscreen | 2024-10-28 | 4.3 Medium |
| The Splashscreen WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-22475 | 2024-10-27 | 6.1 Medium | ||
| Cross-site request forgery vulnerability in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. allows a remote unauthenticated attacker to perform unintended operations on the affected product. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | ||||
| CVE-2024-2215 | 2024-10-27 | 6.1 Medium | ||
| A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. | ||||
| CVE-2024-23785 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2024-10-27 | 6.1 Medium |
| Cross-site request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a remote unauthenticated attacker to change the product settings. | ||||