IBM Security Guardium Insights 2.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 174406.
php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.
YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete.
An issue was discovered in Ignited CMS through 2017-02-19. ign/index.php/admin/pages/add_page allows a CSRF attack to add pages.
The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.
The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location.
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely).
The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS.
my little forum 2.4.12 allows CSRF for deletion of users.
NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter.
The monetize plugin through 1.03 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=monetize-zones-new.
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.
The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin.php galleryid or id parameters.
The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings tab parameter.
The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters.
A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.
NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/nav/add.html, as demonstrated by adding a navigation column which can be injected with arbitrary web script or HTML via the name parameter to launch a stored XSS attack.
Adobe Flash Player 8.0.34.0 and earlier insufficiently validates HTTP Referer headers, which might allow remote attackers to conduct a CSRF attack via a crafted SWF file.
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI.
EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add admin accounts via /admin.html?do=user&act=add.
A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision.
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.
A Cross-Site Request Forgery (CSRF) in WDJA CMS v1.5.2 allows attackers to arbitrarily add administrator accounts via a crafted URL.
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application.
e107 2.1.7 has CSRF resulting in arbitrary user deletion.
A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users.
Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter.
A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin.
A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts.
IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL.
Multiple cross-site scripting (XSS) vulnerabilities in chooser.cgi in Webmin before 1.330 and Usermin before 1.260 allow remote attackers to inject arbitrary web script or HTML via a crafted filename.
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu.
Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.
The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter.
The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting
Cross-site request forgery (CSRF) vulnerability in the Internationalization (i18n) Drupal module 5.x before 5.x-2.3 and 5.x-1.1, and 6.x before 6.x-1.0 beta 1, allows remote attackers to change node translation relationships via unspecified vectors.
The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF.
Interaction error between Adobe Flash and multiple Universal Plug and Play (UPnP) services allow remote attackers to perform Cross-Site Request Forgery (CSRF) style attacks by using the Flash navigateToURL function to send a SOAP message to a UPnP control point, as demonstrated by changing the primary DNS server.
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
Cross-site request forgery (CSRF) vulnerability in the apache2-slms package in SUSE Lifecycle Management Server (SLMS) 1.0 on SUSE Linux Enterprise (SLE) 11 allows remote attackers to hijack the authentication of unspecified victims via vectors related to improper parameter quoting. NOTE: some sources report that this is a vulnerability in a product named "Apache SLMS," but that is incorrect.
Cross-site request forgery (CSRF) in PbootCMS 1.3.2 allows attackers to change the password of a user.
A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd.