Total
6423 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-28398 | 2024-12-10 | N/A | 8.8 HIGH | ||
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The CLI feature in the web interface of affected devices is vulnerable to cross-site request forgery (CSRF). This could allow an attacker to read or modify the device configuration by tricking an authenticated legitimate user into accessing a malicious link. | |||||
CVE-2024-5428 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-12-09 | 5.0 MEDIUM | 4.3 MEDIUM |
A vulnerability classified as problematic was found in SourceCodester Simple Online Bidding System 1.0. Affected by this vulnerability is the function save_product of the file /admin/index.php?page=manage_product of the component HTTP POST Request Handler. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-266383. | |||||
CVE-2024-4929 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-12-09 | 5.0 MEDIUM | 4.3 MEDIUM |
A vulnerability classified as problematic has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file /simple-online-bidding-system/admin/ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264465 was assigned to this vulnerability. | |||||
CVE-2024-54226 | 2024-12-09 | N/A | 7.1 HIGH | ||
Cross-Site Request Forgery (CSRF) vulnerability in Karl Kiesinger Country Blocker allows Stored XSS.This issue affects Country Blocker: from n/a through 3.2. | |||||
CVE-2023-28688 | 2024-12-09 | N/A | 5.4 MEDIUM | ||
Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7. | |||||
CVE-2023-23726 | 2024-12-09 | N/A | 5.4 MEDIUM | ||
Cross-Site Request Forgery (CSRF) vulnerability in Tickera.com Tickera allows Cross Site Request Forgery.This issue affects Tickera: from n/a through 3.5.1.0. | |||||
CVE-2024-12349 | 2024-12-09 | 5.0 MEDIUM | 4.3 MEDIUM | ||
A vulnerability was found in JFinalCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/tag/save. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2024-12115 | 2024-12-07 | N/A | 4.3 MEDIUM | ||
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.4. This is due to missing or incorrect nonce validation on the duplicate_poll() function. This makes it possible for unauthenticated attackers to duplicate polls via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-27439 | 2024-12-06 | N/A | 6.5 MEDIUM | ||
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue. | |||||
CVE-2024-38344 | 2024-12-06 | N/A | 5.4 MEDIUM | ||
A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site. | |||||
CVE-2024-10480 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
CVE-2024-54205 | 2024-12-06 | N/A | 7.1 HIGH | ||
Cross-Site Request Forgery (CSRF) vulnerability in Paloma Paloma Widget allows Cross Site Request Forgery.This issue affects Paloma Widget: from n/a through 1.14. | |||||
CVE-2024-53809 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
Cross-Site Request Forgery (CSRF) vulnerability in Kiboko Labs Namaste! LMS allows Cross Site Request Forgery.This issue affects Namaste! LMS: from n/a through 2.6.4.1. | |||||
CVE-2024-12003 | 2024-12-06 | N/A | 6.1 MEDIUM | ||
The WP System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the generate_wp_system_page_content() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-11444 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.13.2. This is due to missing or incorrect nonce validation on the cluevo_render_module_ui() function. This makes it possible for unauthenticated attackers to delete modules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-11336 | 2024-12-06 | N/A | 6.1 MEDIUM | ||
The Clickbank WordPress Plugin (Storefront) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the cs_menu page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-48846 | 2024-12-05 | N/A | 7.1 HIGH | ||
Cross Site Request Forgery vulnerabilities where found providing a potiential for exposing sensitive information or changing system settings. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | |||||
CVE-2024-11341 | 2024-12-05 | N/A | 4.3 MEDIUM | ||
The Simple Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and redirect all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-26469 | 2024-12-04 | N/A | 8.1 HIGH | ||
Server-Side Request Forgery (SSRF) vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to cause a denial of service (DoS) and escalate privileges via the url parameter in the postProcess() method. | |||||
CVE-2024-26450 | 2024-12-04 | N/A | 5.4 MEDIUM | ||
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener. |