Total
7785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6022 | 1 Adamsolymosi | 1 Contentlock | 2024-11-21 | N/A | 8.8 HIGH |
| The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-5943 | 1 Kylephillips | 1 Nested Pages | 2024-11-21 | N/A | 8.8 HIGH |
| The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-5815 | 1 Github | 1 Enterprise Server | 2024-11-21 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-5804 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-5786 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Cross-Site Request Forgery vulnerability in Comtrend router WLD71-T1_v2.0.201820, affecting the GRG-4280us version. This vulnerability allows an attacker to force an end user to execute unwanted actions in a web application to which he is authenticated. | |||||
| CVE-2024-5767 | 1 Sitetweet Project | 1 Sitetweet | 2024-11-21 | N/A | 8.8 HIGH |
| The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-5676 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
| The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system. | |||||
| CVE-2024-5551 | 1 Wp-staging | 1 Wp Staging | 2024-11-21 | N/A | 7.5 HIGH |
| The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup Duplicator & Migration plugin. This makes it possible for unauthenticated attackers to include any local files that end in '-settings.php' via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-5185 | 2024-11-21 | N/A | 7.3 HIGH | ||
| The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model. | |||||
| CVE-2024-4969 | 1 Devnath Verma | 1 Widget Bundle | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack | |||||
| CVE-2024-4689 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.3. | |||||
| CVE-2024-4600 | 2024-11-21 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery vulnerability in Socomec Net Vision, version 7.20. This vulnerability could allow an attacker to trick registered users into performing critical actions, such as adding and updating accounts, due to lack of proper sanitisation of the ‘set_param.cgi’ file. | |||||
| CVE-2024-4543 | 1 Yeken | 1 Snippet Shortcodes | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-4499 | 1 Lollms | 1 Lollms | 2024-11-21 | N/A | 6.3 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location. | |||||
| CVE-2024-4475 | 1 Onetarek | 1 Wp Logs Book | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack | |||||
| CVE-2024-4474 | 1 Onetarek | 1 Wp Logs Book | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-4328 | 1 Parisneo | 1 Lollms Web Ui | 2024-11-21 | N/A | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such as deleting important files on the system. The issue is present in the application's handling of requests, making it susceptible to CSRF attacks that could lead to unauthorized actions being performed on behalf of the user. | |||||
| CVE-2024-4172 | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in idcCMS 1.35. Affected by this vulnerability is an unknown functionality of the file /admin/admin_cl.php?mudi=revPwd. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261991. | |||||
| CVE-2024-45693 | 1 Apache | 1 Cloudstack | 2024-11-21 | N/A | 8.0 HIGH |
| Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. | |||||
| CVE-2024-45172 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
| An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to missing protection mechanisms, the C-MOR web interface is vulnerable to cross-site request forgery (CSRF) attacks. The C-MOR web interface offers no protection against cross-site request forgery (CSRF) attacks. | |||||