Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 2.0.3.
A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.22 is able to address this issue. The identifier of the patch is 8398d96ff0fe45ec9267d7259961c2ef89ed8005. It is recommended to upgrade the affected component. The identifier VDB-225321 was assigned to this vulnerability.
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.
Cross-Site Request Forgery (CSRF) vulnerability in RedNao Donations Made Easy – Smart Donations.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.
All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user.
Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/task/run
A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions.
A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.
Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges.
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions.
JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/div/update.
Cross-Site Request Forgery (CSRF) vulnerability in Serena Villa Auto Excerpt everywhere plugin <= 1.5 versions.
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.
Cross-Site Request Forgery (CSRF) vulnerability in Gravity Master Product Enquiry for WooCommerce.This issue affects Product Enquiry for WooCommerce: from n/a through 3.0.
JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/category/save.
Cross-Site Request Forgery (CSRF) vulnerability in Fluenx DeepL API translation plugin <= 2.3.9.1 versions.
Cross-Site Request Forgery (CSRF) vulnerability in AWESOME TOGI Product Category Tree plugin <= 2.5 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Martin Gibson Auto Publish for Google My Business plugin <= 3.7 versions.
The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin-ajax.php in a unitegallery_ajax_action operation.
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
Cross-Site Request Forgery (CSRF) vulnerability in BOINC Server allows Cross Site Request Forgery.This issue affects BOINC Server: before 1.4.3.
GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow cross-site request forgery.
A vulnerability has been found in SourceCodester Take-Note App 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239350 is the identifier assigned to this vulnerability.
CSRF vulnerability in Smoothwall Express 3.
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication information. A malicious link opened by the switch administrator may cause the password of the switch to be modified and the configuration file to be tampered with.
A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL.
Cross-Site Request Forgery (CSRF) vulnerability in Mat Bao Corp WP Helper Premium plugin <= 4.5.1 versions.
Batavi before 1.0 has CSRF.
A vulnerability classified as problematic has been found in OpenACS bug-tracker. Affected is an unknown function of the file lib/nav-bar.adp of the component Search. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is aee43e5714cd8b697355ec3bf83eefee176d3fc3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217440.
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules.
Cross-Site Request Forgery (CSRF) vulnerability in Simple Calendar – Google Calendar Plugin <= 3.2.5 versions.
A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.
A vulnerability, which was classified as problematic, was found in SourceCodester Simple Realtime Quiz System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273351.
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1.
The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202168.
The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() function. This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to reset a user's password and gain access to their account.
The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.
Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function.
Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the user to an administrator group. This is exploited by an undisclosed function in the WSDL that lacks security controls and can accept custom content types.