Total
4240 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-24382 | 1 Material Design Icons For Page Builders Project | 1 Material Design Icons For Page Builders | 2023-02-22 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in Photon WP Material Design Icons for Page Builders plugin <= 1.4.2 versions. | |||||
CVE-2023-25065 | 1 Shapedplugin | 1 Wp Tabs | 2023-02-22 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in ShapedPlugin WP Tabs – Responsive Tabs Plugin for WordPress plugin <= 2.1.14 versions. | |||||
CVE-2022-43469 | 1 Orchestrated | 1 Corona Virus \(covid-19\) Banner \& Live Data | 2023-02-22 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in Orchestrated Corona Virus (COVID-19) Banner & Live Data plugin <= 1.7.0.6 versions. | |||||
CVE-2023-25066 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2023-02-22 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions. | |||||
CVE-2022-41134 | 1 Optinly | 1 Optinly | 2023-02-21 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) in OptinlyHQ Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms plugin <= 1.0.15 versions. | |||||
CVE-2022-34448 | 1 Dell | 1 Powerpath Management Appliance | 2023-02-21 | N/A | 8.8 HIGH |
PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Cross-site Request Forgery vulnerability. An unauthenticated non-privileged user could potentially exploit the issue and perform any privileged state-changing actions. | |||||
CVE-2022-41620 | 1 Seosamba | 1 Seosamba | 2023-02-18 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin <= 1.0.5 versions. | |||||
CVE-2022-3568 | 1 Orangelab | 1 Imagemagick Engine | 2023-02-16 | N/A | 8.8 HIGH |
The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
CVE-2019-1915 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection | 2023-02-15 | 4.3 MEDIUM | 6.5 MEDIUM |
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user. | |||||
CVE-2023-0735 | 1 Wallabag | 1 Wallabag | 2023-02-15 | N/A | 6.5 MEDIUM |
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4. | |||||
CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2023-02-14 | 3.5 LOW | 5.4 MEDIUM |
In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | |||||
CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2023-02-14 | 6.8 MEDIUM | 8.8 HIGH |
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue | |||||
CVE-2021-24434 | 1 Codeblab | 1 Glass | 2023-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
CVE-2022-2933 | 1 0mk Shortener Project | 1 0mk Shortener | 2023-02-14 | N/A | 8.8 HIGH |
The 0mk Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the zeromk_options_page function. This makes it possible for unauthenticated attackers to inject malicious web scripts via the 'zeromk_user' and 'zeromk_apikluc' parameters through a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2023-0674 | 1 Xuxueli | 1 Xxl-job | 2023-02-14 | N/A | 6.5 MEDIUM |
A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220196. | |||||
CVE-2020-4675 | 4 Ibm, Linux, Microsoft and 1 more | 6 Aix, Infosphere Master Data Management Server, Linux On Ibm Z and 3 more | 2023-02-14 | 4.3 MEDIUM | 6.5 MEDIUM |
IBM InfoSphere Master Data Management Server 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186324. | |||||
CVE-2022-27628 | 1 Wzone Project | 1 Wzone | 2023-02-13 | N/A | 6.5 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in AA-Team WZone – Lite Version plugin 3.1 Lite versions. | |||||
CVE-2018-1098 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2023-02-12 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send. | |||||
CVE-2013-2034 | 1 Cloudbees | 1 Jenkins | 2023-02-12 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary code or (2) initiate deployment of binaries to a Maven repository via unspecified vectors. | |||||
CVE-2013-0328 | 1 Jenkins | 1 Jenkins | 2023-02-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |