FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_update
Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.
Coursemill Learning Management System (LMS) 6.8 constructs secret tokens based on time values, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via vectors related to cookies, a different vulnerability than CVE-2013-3605.
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_edit.php.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete posts, or (3) modify PHP files via unspecified vectors, or (4) conduct cross-site scripting (XSS) attacks via the po_logo parameter in the privateonly.php page to wp-admin/options-general.php.
An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.
Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin-edit.php.
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF via client/auditor/updprofile.php.
Cross-site request forgery (CSRF) vulnerability in Browser and Operating System Finder versions prior to 1.2 allows a remote unauthenticated attacker to hijack the authentication of an administrator via unspecified vectors.
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029.
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 139474.
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.
xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.
FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/scorerule_save
NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 is vulnerable to cross-site request forgery attacks on all endpoints due to improperly implemented CSRF protections.
Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Browser Theme Color.This issue affects Browser Theme Color: from n/a through 1.3.
The Sloth Logo Customizer WordPress plugin through 2.0.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Cross-Site Request Forgery (CSRF) vulnerability in DroitThemes Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder.This issue affects Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder: from n/a through 3.1.5.
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.
An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user.
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wp_newsletter_show_localrecord page is not protected with a nonce.
FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerbility via /system/site/filterKeyword_save
Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms.
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.
FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_save.
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check.This issue affects WP Spell Check: from n/a through 9.17.
Mozilla Firefox through 27 sends HTTP Cookie headers without first validating that they have the required character-set restrictions, which allows remote attackers to conduct the equivalent of a persistent Logout CSRF attack via a crafted parameter that forces a web application to set a malformed cookie within an HTTP response.
Cross-site request forgery (CSRF) vulnerability in login.jsp in Tyler Technologies TaxWeb 3.13.3.1 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password.
Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to hijack the authentication of administrators for requests that perform administrative actions in (1) xAdmin or (2) xDashboard.
A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.
Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter.
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter.
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au 1 click disable all.This issue affects 1 click disable all: from n/a through 1.0.1.
In waimai Super Cms 20150505, there is a CSRF vulnerability that can add an admin account via admin.php?m=Member&a=adminadd.
IBM Application Performance Management - Response Time Monitoring Agent (IBM Monitoring 8.1.4) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 139598.
Xiao5uCompany 1.7 has CSRF via admin/Admin.asp.
Cross-site request forgery (CSRF) vulnerability in OG Tags versions prior to 2.0.2 allows a remote attacker to hijack the authentication of administrators and unintended operation may be performed via unspecified vectors.
Cross-site request forgery (CSRF) vulnerability in WordPress Meta Data Filter & Taxonomies Filter versions prior to v.1.2.8 and versions prior to v.2.2.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.
Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco Global Site Selector (GSS) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuh42164.
Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page.
OpenSID 18.06-pasca has a CSRF vulnerability. This vulnerability can add an account (at the admin level) via the index.php/man_user/insert URI.
TEMMOKU T1.09 Beta allows admin/user/add CSRF.