OTCMS 3.20 allows XSS by adding a keyword or link to an article, as demonstrated by an admin/keyWord_deal.php?mudi=add request.
An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php via these parameters: dataTypeCN dataMode dataModeStr.
An issue was discovered in OTCMS 3.61. XSS exists in admin/share_switch.php via these parameters: fieldName fieldName2 tabName.
OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=autoRun request.
CSRF in admin/edit-article.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit an article, given the id, via a crafted request.
CSRF in admin/edit-category.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit a category, given the id, via a crafted request.
Cross-site request forgery (CSRF) vulnerability in application/modules/admin/controllers/users.php in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests to admin/users/edit that grant administrative privileges.
A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator's username and password.
CSRF in admin/manage-tickets.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete a ticket via a crafted request.
CSRF in admin/add-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new glossary term via a crafted request.
solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.
Cross-site request forgery (CSRF) vulnerability in HP Systems Insight Manager (SIM) before 6.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CSRF in admin/add-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new article template via a crafted request.
Cross-Site Request Forgery (CSRF) vulnerability in Private Messages For WordPress plugin <= 2.1.10 at WordPress allows attackers to send messages.
Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality.
Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress via &title parameter.
Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter.
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter.
CSRF in admin/manage-categories.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete a category via a crafted request.
An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. The web interface is vulnerable to CSRF. An attacker can change the pre-shared key of the Wi-Fi router if the interface's IP address is known.
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.
CSRF in admin/edit-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit a news article, given the id, via a crafted request.
A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential.
Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job.
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu.
A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
Cross-Site Request Forgery (CSRF) in Use Any Font (WordPress plugin) <= 6.1.7 allows an attacker to deactivate the API key.
CSRF in admin/manage-departments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a department via a crafted request.
CSRF in admin/manage-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete a glossary term via a crafted request.
Cross-site request forgery (CSRF) vulnerability in ACollab 1.2 allows remote attackers to hijack the authentication of arbitrary users for requests that add personal agenda items.
In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to import templates.
Cross-Site Request Forgery (CSRF) in Simple Ajax Chat (WordPress plugin) <= 20220115 allows an attacker to clear the chat log or delete a chat message.
The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack
The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.
Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to create or modify slider.
Cross-Site Request Forgery (CSRF) vulnerability in AA-Team WZone – Lite Version plugin 3.1 Lite versions.
Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.7 allows an attacker to Sync with Zoom Meetings.
NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter.
Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.8 allows cache deletion.
The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS.
Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0).
Neet AirStream NAS1.1 devices allow CSRF attacks that cause the settings binary to change the AP name and password.
A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.
The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site.
Cross-site request forgery (CSRF) vulnerability in the JMX Console in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 allows remote attackers to hijack the authentication of administrators for requests that deploy WAR files.