Cross-Site Request Forgery (CSRF) vulnerability in Alex Benfica Publish to Schedule plugin <= 4.4.2 versions.
Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php.
Cross-site request forgery (CSRF) vulnerability in Plume CMS 1.2.4 and possibly earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors.
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/share_switch.php?mudi=switch&dataType=&fieldName=state&fieldName2=state&tabName=banner&dataID=6.
Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher plugin <= 3.8.3 versions.
Cross-site request forgery (CSRF) vulnerability in loader/DocumentThreadableLoader.cpp in WebCore in WebKit before r57041, as used in Google Chrome before 4.1.249.1059, allows remote attackers to hijack the authentication of unspecified victims via a crafted synchronous preflight XMLHttpRequest operation.
Cross-Site Request Forgery (CSRF) vulnerability in FixBD Educare plugin <= 1.4.1 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.2.
Cross-Site Request Forgery (CSRF) vulnerability in Aleksandar Urošević My YouTube Channel plugin <= 3.23.3 versions.
In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php.
Cross-Site Request Forgery (CSRF) vulnerability in Gopi Ramasamy WP tell a friend popup form plugin <= 7.1 versions.
Multiple cross-site request forgery (CSRF) vulnerabilities in the web management interface in InterSect Alliance Snare Agent 3.2.3 and earlier on Solaris, Snare Agent 3.1.7 and earlier on Windows, Snare Agent 1.5.0 and earlier on Linux and AIX, Snare Agent 1.4 and earlier on IRIX, Snare Epilog 1.5.3 and earlier on Windows, and Snare Epilog 1.2 and earlier on UNIX allow remote attackers to hijack the authentication of administrators for requests that (1) change the password or (2) change the listening port.
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server.
Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1968.
Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin <= 8.2.7 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Miro Mannino Flickr Justified Gallery plugin <= 3.5 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6.
Cross-Site Request Forgery (CSRF) in GitHub repository unilogies/bumsys prior to 2.1.1.
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl.
Cross-Site Request Forgery (CSRF) vulnerability in CAGE Web Design | Rolf van Gelder Optimize Database after Deleting Revisions plugin <= 5.1 versions.
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/userSys_deal.php?mudi=infoSet.
Cross-Site Request Forgery (CSRF) vulnerability in Frédéric Sheedy Etsy Shop plugin <= 3.0.3 versions.
A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL.
Cross-Site Request Forgery (CSRF) vulnerability in Jason Rouet Weather Station plugin <= 3.8.12 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Smart YouTube PRO plugin <= 4.3 versions.
Cross-site request forgery (CSRF) vulnerability in Apache CouchDB 0.8.0 through 0.11.0 allows remote attackers to hijack the authentication of administrators for direct requests to an installation URL.
Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) 1.7.2 and earlier allow remote attackers to hijack the authentication of administrators for requests that use (1) op/op.EditUserData.php, (2) op/op.UsrMgr.php, (3) out/out.RemoveVersion.php, (4) op/op.RemoveFolder.php, (5) op/op.DefaultKeywords.php, (6) op/op.GroupMgr.php, (7) op/op.FolderAccess.php, (8) op/op.FolderNotify.php, or (9) op.MoveFolder.php in mydms.
Cross-site request forgery (CSRF) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Cross-site request forgery (CSRF) vulnerability in AlegroCart 1.1 allows remote attackers to hijack the authentication of the administrator for requests that reset the administrator password via a POST to admin/ with an update action.
Multiple cross-site request forgery (CSRF) vulnerabilities in admin/configure.php in DFD Cart 1.198, 1.197, and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks or (2) change unspecified settings.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.
Cross-site request forgery (CSRF) vulnerability in add_user.php in Employee Timeclock Software 0.99 allows remote attackers to hijack the authentication of an administrator for requests that create new administrative users. NOTE: some of these details are obtained from third party information.
The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.10 versions.
The Feather Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions starting from 1.0.7 up to, and including, 1.1.1. This is due to missing nonce validation in the 'createTempAccountLink' function. This makes it possible for unauthenticated attackers to create a new user with administrator role via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can leverage CVE-2023-2545 to get the login link or request a password reset to the new user's email address.
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Madalin Ungureanu, Antohe Cristian Client Portal – Private user pages and login plugin <= 1.1.8 versions.
servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/homePro_deal.php?mudi=del&dataType=&dataTypeCN.
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/banner_deal.php?mudi=del&dataType=&dataTypeCN=%E5%9B%BE%E7%89%87%E5%B9%BF%E5%91%8A&theme=cs&dataID=6.
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attackers to hijack the authentication of unspecified victims for requests that create queues via the JMSDestination parameter in a queue action.
Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication of an application administrator for requests that create an administrative account via a POST request with the route parameter set to "user/user/insert." NOTE: some of these details are obtained from third party information.
Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form.
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a page via a q=admin/build/pages/nojs/enable/ value or (2) disable a page via a q=admin/build/pages/nojs/disable/ value.