Total
6529 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42475 | 2024-08-19 | N/A | 6.5 MEDIUM | ||
| In the OAuth library for nim prior to version 0.11, the `state` values generated by the `generateState` function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. While `state` isn't exactly a cryptographic value, it should be generated in a cryptographically secure way. `generateState` should be using a CSPRNG. Version 0.11 modifies the `generateState` function to generate `state` values of at least 128 bits of entropy while using a CSPRNG. | |||||
| CVE-2024-7501 | 2024-08-19 | N/A | 4.2 MEDIUM | ||
| The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files. | |||||
| CVE-2024-42476 | 2024-08-19 | N/A | 6.5 MEDIUM | ||
| In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the `state` parameter to prevent cross-site request forgery (CSRF) attacks where a resource owner might have their session associated with protected resources belonging to an attacker. When this project is compiled with certain compiler flags set, it is possible that the `state` parameter will not be checked at all, creating a CSRF vulnerability. Version 0.11 checks the `state` parameter using a regular `if` statement or `doAssert` instead of relying on a plain `assert`. `doAssert` will achieve the desired behavior even if `-d:danger` or `--assertions:off` is set. | |||||
| CVE-2024-7422 | 2024-08-19 | N/A | 4.3 MEDIUM | ||
| The Theme My Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.1.7. This is due to missing or incorrect nonce validation on the tml_admin_save_ms_settings() function. This makes it possible for unauthenticated attackers to update the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note that this only affects multi-site instances. | |||||
| CVE-2024-7662 | 1 Oretnom23 | 1 Car Driving School Management System | 2024-08-15 | 5.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in SourceCodester Car Driving School Management System 1.0. It has been declared as problematic. This vulnerability affects the function save_package of the file admin/packages/manag_package.php. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-7661 | 1 Oretnom23 | 1 Car Driving School Management System | 2024-08-15 | 5.0 MEDIUM | 8.8 HIGH |
| A vulnerability was found in SourceCodester Car Driving School Management System 1.0. It has been classified as problematic. This affects the function save_users of the file admin/user/index.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-42628 | 1 Frogcms Project | 1 Frogcms | 2024-08-15 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/snippet/edit/3. | |||||
| CVE-2024-42624 | 1 Frogcms Project | 1 Frogcms | 2024-08-15 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/page/delete/10. | |||||
| CVE-2024-40476 | 1 Mayurik | 1 Best House Rental Management | 2024-08-15 | N/A | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was found in SourceCodester Best House Rental Management System v1.0. This could lead to an attacker tricking the administrator into adding/modifying/deleting valid tenant data via a crafted HTML page, as demonstrated by a Delete Tenant action at the /rental/ajax.php?action=delete_tenant. | |||||
| CVE-2024-42623 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/layout/delete/1 | |||||
| CVE-2024-42631 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/layout/edit/1. | |||||
| CVE-2024-42627 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/snippet/delete/3. | |||||
| CVE-2024-42625 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/layout/add | |||||
| CVE-2024-42629 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/page/edit/10. | |||||
| CVE-2024-42632 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/page/add. | |||||
| CVE-2024-42630 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/create_file. | |||||
| CVE-2024-42626 | 1 Frogcms Project | 1 Frogcms | 2024-08-13 | N/A | 8.8 HIGH |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/snippet/add. | |||||
| CVE-2024-38724 | 2024-08-13 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Muhammad Rehman Contact Form 7 Summary and Print allows Stored XSS.This issue affects Contact Form 7 Summary and Print: from n/a through 1.2.5. | |||||
| CVE-2024-40488 | 2024-08-13 | N/A | 8.8 HIGH | ||
| A Cross-Site Request Forgery (CSRF) vulnerability was found in the Kashipara Live Membership System v1.0. This could lead to an attacker tricking the administrator into deleting valid member data via a crafted HTML page, as demonstrated by a Delete Member action at the /delete_members.php. | |||||
| CVE-2024-7574 | 2024-08-12 | N/A | 6.1 MEDIUM | ||
| The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||