Total
7786 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-20255 | 1 Cisco | 1 Expressway | 2024-11-21 | N/A | 8.2 HIGH |
| A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload. | |||||
| CVE-2024-20254 | 1 Cisco | 1 Expressway | 2024-11-21 | N/A | 9.6 CRITICAL |
| Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. | |||||
| CVE-2024-20252 | 1 Cisco | 1 Expressway | 2024-11-21 | N/A | 9.6 CRITICAL |
| Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. | |||||
| CVE-2024-1845 | 1 E4jconnect | 1 Vikrentcar | 2024-11-21 | N/A | 8.8 HIGH |
| The VikRentCar Car Rental Management System WordPress plugin before 1.3.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-1162 | 1 Themeisle | 1 Orbit Fox | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0880 | 1 100296 | 1 Qdbcrm | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Qidianbang qdbcrm 1.1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/edit?id=2 of the component Password Reset. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252032. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0859 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0796 | 1 Pluginus | 1 Woot | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6.1. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0790 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2024-11-21 | N/A | 5.4 MEDIUM |
| The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request. | |||||
| CVE-2024-0667 | 1 10web | 1 Form Maker | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0660 | 1 Strategy11 | 1 Formidable Forms | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0624 | 1 Strangerstudios | 1 Paid Memberships Pro | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. This makes it possible for unauthenticated attackers to update the order of levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0623 | 1 Vektor-inc | 1 Vk Block Patterns | 2024-11-21 | N/A | 4.3 MEDIUM |
| The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache() function. This makes it possible for unauthenticated attackers to clear the patterns cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0555 | 1 Xantech | 2 Wic1200, Wic1200 Firmware | 2024-11-21 | N/A | 4.6 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability has been found on WIC1200, affecting version 1.1. An authenticated user could lead another user into executing unwanted actions inside the application they are logged in. This vulnerability is possible due to the lack of propper CSRF token implementation. | |||||
| CVE-2024-0522 | 1 Allegrosoft | 1 Rompager | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Allegro RomPager 4.01. It has been classified as problematic. Affected is an unknown function of the file usertable.htm?action=delete of the component HTTP POST Request Handler. The manipulation of the argument username leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 4.30 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-250692. NOTE: The vendor explains that this is a very old issue that got fixed 20 years ago but without a public disclosure. | |||||
| CVE-2024-0511 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0428 | 1 Kobzarev | 1 Index Now | 2024-11-21 | N/A | 7.1 HIGH |
| The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0374 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'create_view' function. This makes it possible for unauthenticated attackers to create views via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0373 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'save_view' function. This makes it possible for unauthenticated attackers to modify arbitrary post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-7092 | 1 Uniwayinfo | 2 Uw-302vp, Uw-302vp Firmware | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Uniway UW-302VP 2.0. It has been rated as problematic. This issue affects some unknown processing of the file /boaform/wlan_basic_set.cgi of the component Admin Web Interface. The manipulation of the argument wlanssid/password leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248939. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||