Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-352
Total 4240 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-24382 1 Material Design Icons For Page Builders Project 1 Material Design Icons For Page Builders 2023-02-22 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in Photon WP Material Design Icons for Page Builders plugin <= 1.4.2 versions.
CVE-2023-25065 1 Shapedplugin 1 Wp Tabs 2023-02-22 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in ShapedPlugin WP Tabs – Responsive Tabs Plugin for WordPress plugin <= 2.1.14 versions.
CVE-2022-43469 1 Orchestrated 1 Corona Virus \(covid-19\) Banner \& Live Data 2023-02-22 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in Orchestrated Corona Virus (COVID-19) Banner & Live Data plugin <= 1.7.0.6 versions.
CVE-2023-25066 1 Foliovision 1 Fv Flowplayer Video Player 2023-02-22 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions.
CVE-2022-41134 1 Optinly 1 Optinly 2023-02-21 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) in OptinlyHQ Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms plugin <= 1.0.15 versions.
CVE-2022-34448 1 Dell 1 Powerpath Management Appliance 2023-02-21 N/A 8.8 HIGH
PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Cross-site Request Forgery vulnerability. An unauthenticated non-privileged user could potentially exploit the issue and perform any privileged state-changing actions.
CVE-2022-41620 1 Seosamba 1 Seosamba 2023-02-18 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin <= 1.0.5 versions.
CVE-2022-3568 1 Orangelab 1 Imagemagick Engine 2023-02-16 N/A 8.8 HIGH
The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
CVE-2019-1915 1 Cisco 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection 2023-02-15 4.3 MEDIUM 6.5 MEDIUM
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&amp;P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user.
CVE-2023-0735 1 Wallabag 1 Wallabag 2023-02-15 N/A 6.5 MEDIUM
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.
CVE-2021-24388 1 E4j 1 Vikrentcar Car Rental Management System 2023-02-14 3.5 LOW 5.4 MEDIUM
In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.
CVE-2021-24487 1 Sanskruti 1 St-daily-tip 2023-02-14 6.8 MEDIUM 8.8 HIGH
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue
CVE-2021-24434 1 Codeblab 1 Glass 2023-02-14 4.3 MEDIUM 6.1 MEDIUM
The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.
CVE-2022-2933 1 0mk Shortener Project 1 0mk Shortener 2023-02-14 N/A 8.8 HIGH
The 0mk Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the zeromk_options_page function. This makes it possible for unauthenticated attackers to inject malicious web scripts via the 'zeromk_user' and 'zeromk_apikluc' parameters through a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-0674 1 Xuxueli 1 Xxl-job 2023-02-14 N/A 6.5 MEDIUM
A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220196.
CVE-2020-4675 4 Ibm, Linux, Microsoft and 1 more 6 Aix, Infosphere Master Data Management Server, Linux On Ibm Z and 3 more 2023-02-14 4.3 MEDIUM 6.5 MEDIUM
IBM InfoSphere Master Data Management Server 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186324.
CVE-2022-27628 1 Wzone Project 1 Wzone 2023-02-13 N/A 6.5 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in AA-Team WZone – Lite Version plugin 3.1 Lite versions.
CVE-2018-1098 2 Fedoraproject, Redhat 2 Fedora, Etcd 2023-02-12 6.8 MEDIUM 8.8 HIGH
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.
CVE-2013-2034 1 Cloudbees 1 Jenkins 2023-02-12 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary code or (2) initiate deployment of binaries to a Maven repository via unspecified vectors.
CVE-2013-0328 1 Jenkins 1 Jenkins 2023-02-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.