Total
7785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-41305 | 1 Wondercms | 1 Wondercms | 2024-11-21 | N/A | 4.7 MEDIUM |
| A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter. | |||||
| CVE-2024-40601 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules. | |||||
| CVE-2024-40334 | 1 Idccms | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/serverFile_deal.php?mudi=upFileDel&dataID=3 | |||||
| CVE-2024-40332 | 1 Idccms | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/moneyRecord_deal.php?mudi=delRecord | |||||
| CVE-2024-40119 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover. | |||||
| CVE-2024-40037 | 1 Idccms Project | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userScore_deal.php?mudi=del | |||||
| CVE-2024-40034 | 1 Idccms Project | 1 Idccms | 2024-11-21 | N/A | 8.8 HIGH |
| idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userLevel_deal.php?mudi=del | |||||
| CVE-2024-3972 | 1 Davidjmiller | 1 Similarity | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-3873 | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in SMI SMI-EX-5414W up to 1.0.03. It has been classified as problematic. This affects an unknown part of the component Web Interface. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260907. | |||||
| CVE-2024-3825 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw which results in credential enumeration | |||||
| CVE-2024-3798 | 2024-11-21 | N/A | N/A | ||
| Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. Phoniebox in version 3.0 and higher are not affected. | |||||
| CVE-2024-3593 | 1 Sevenspark | 1 Ubermenu | 2024-11-21 | N/A | 7.2 HIGH |
| The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated attackers to delete and reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-3246 | 1 Litespeedtech | 1 Litespeed Cache | 2024-11-21 | N/A | 6.1 MEDIUM |
| The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-3142 | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Clavister E10 and E80 up to 14.00.10 and classified as problematic. This issue affects some unknown processing of the component Setting Handler. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 14.00.11 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-258917 was assigned to this vulnerability. | |||||
| CVE-2024-39326 | 2024-11-21 | N/A | 4.4 MEDIUM | ||
| SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue. | |||||
| CVE-2024-39063 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests. | |||||
| CVE-2024-38457 | 1 Xenforo | 1 Xenforo | 2024-11-21 | N/A | 8.8 HIGH |
| Xenforo before 2.2.16 allows CSRF. | |||||
| CVE-2024-37941 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Internal Link Juicer Internal Link Juicer: SEO Auto Linker for WordPress.This issue affects Internal Link Juicer: SEO Auto Linker for WordPress: from n/a through 2.24.3. | |||||
| CVE-2024-37940 | 2024-11-21 | N/A | 7.4 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Seraphinite Solutions Seraphinite Accelerator (Full, premium).This issue affects Seraphinite Accelerator (Full, premium): from n/a through 2.21.13. | |||||
| CVE-2024-37939 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Lite.This issue affects Patricia Lite: from n/a through 1.2.3. | |||||