Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
A Cross-Site Request Forgery (CSRF) vulnerability in edit_user.php in OSWAPP Warehouse Inventory System (aka OSWA-INV) through 2020-08-10 allows remote attackers to change the admin's password after an authenticated admin visits a third-party site.
Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user.
Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8.
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Reset ONU to Factory Default through ' /mgm_dev_reset.asp.' Resetting to default leads to Escalation of Privileges by logging-in with default credentials.
Cross Site Request Forgery (CSRF) vulnerability in yzmcms version 5.6, allows remote attackers to escalate privileges and gain sensitive information sitemodel/add.html endpoint.
A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***.
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.
iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.
Cross Site Request Forgery vulnerability in Neeke HongCMS 3.0.0 allows a remote attacker to execute arbitrary code and escalate privileges via the updateusers parameter.
A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php.
MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/scorerule_save
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for index.php?dbhcms_pid=-70 can add a user.
HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows CSRF.
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/del.
Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool. This issue affects Expedition Migration Tool 1.1.51 and earlier versions.
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account.
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
Cross Site Request Forgery (CSRF) vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn.
A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.
A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php.
Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'.
Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote attackers to gain privilege and execute arbitrary code via the component "Simple-Log/admin/admin.php?act=act_add_member".
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
A Cross site request forgery (CSRF) vulnerability was discovered in FeiFeiCMS v4.1.190209, which allows attackers to create administrator accounts via /index.php?s=Admin-Admin-Insert.
Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.
Cross-Site Request Forgery (CSRF) vulnerability in Orchestrated Corona Virus (COVID-19) Banner & Live Data plugin <= 1.7.0.6 versions.
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily escalate user privileges to administrator via index.php?s=/user/ApiAdminUser/itemEdit.
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
Cross Site Request Forgery (CSRF) Vulnerability in ForestBlog latest version via the website Management background, which could let a remote malicious gain privileges.
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.
Cross Site Request Forgery (CSRF) in IgnitedCMS v1.0 allows remote attackers to obtain sensitive information and gain privilege via the component "/admin/profile/save_profile".
Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'.
Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution.
ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13.
Cross-Site Request Forgery (CSRF) vulnerability in Michael Tran Table of Contents Plus allows Cross Site Request Forgery.This issue affects Table of Contents Plus: from n/a through 2408.
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.