A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.
ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.
Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue.
icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF).
LexisNexis Firco Compliance Link 3.7 allows CSRF.
solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch �� ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Remove/hide Author, Date, Category Like Entry-Meta plugin <= 2.1 versions.
A vulnerability was found in SourceCodester Online Employee Leave Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/addemployee.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The identifier VDB-207853 was assigned to this vulnerability.
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.
A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts.
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.
Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
Cross-Site Request Forgery (CSRF) vulnerability in Felix Welberg SIS Handball plugin <= 1.0.45 versions.
Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.
A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins.
Cross-Site Request Forgery (CSRF) vulnerability in Ashok Rane Order Delivery Date for WP e-Commerce plugin <= 1.2 versions.
An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint.
Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool. This issue affects Expedition Migration Tool 1.1.51 and earlier versions.
Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview MyCryptoCheckout plugin <= 2.125 versions.
Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device.
A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.
Cross-Site Request Forgery (CSRF) vulnerability in Rémi Leclercq Hide admin notices – Admin Notification Center plugin <= 2.3.2 versions.
HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account.
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
Cross Site Request Forgery (CSRF) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B, via all fields to WebUI.
Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab WP Like Button plugin <= 1.7.0 versions.
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Cross-Site Request Forgery (CSRF) vulnerability in Hannes Etzelstorfer // codemiq WP HTML Mail plugin <= 3.4.1 versions.
A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php.
A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.
Cross-site request forgery in some Intel Unison software may allow an authenticated user to potentially enable escalation of privilege via network access.
Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.
Cross Site Request Forgery (CSRF) Vulnerability in ForestBlog latest version via the website Management background, which could let a remote malicious gain privileges.
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'.
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.
Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote attackers to gain privilege and execute arbitrary code via the component "Simple-Log/admin/admin.php?act=act_add_member".
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows CSRF.
Cross-Site Request Forgery (CSRF) vulnerability leading to Local File Inclusion (LF) in Webpushr Web Push Notifications Web Push Notifications – Webpushr plugin <= 4.34.0 versions.
The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST) devices allows configuration changes via CSRF.
Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows remote attackers to hijack the authentication of users for requests to start an update from an arbitrary source via a crafted request to SProtectLinux/scanoption_set.cgi, related to the lack of anti-CSRF tokens.