| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server. |
| Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.
This issue affects Apache Geode: versions 1.10 through 1.15.1
Users are recommended to upgrade to version 1.15.2, which fixes the issue. |
| An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token. |
| A cross-site request forgery (csrf) vulnerability exists in the boa CSRF protection functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted network request can lead to CSRF. An attacker can send an HTTP request to trigger this vulnerability. |
| An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. |
| An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user. |
| The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit. |
| The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious links to reset the admin password or create new users. |
| An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service does not implement CSRF protections. An attacker who social engineers a valid user into clicking a malicious link or visiting a malicious website may be able to submit requests to the Job Status Service without the user's knowledge. |
| A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. |
| Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker.
This software does not implement any protection against this type of attack. All forms available in this software are potentially vulnerable.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. |
| A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link. |
| Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery (CSRF) vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrf_token' without validating the field’s value; only the presence of the field is checked. An attacker can craft a cross-site request that causes a logged-in victim’s browser to submit a JSON POST containing an arbitrary or empty 'csrf_token', and the API will execute the request with the victim’s privileges. Successful exploitation can allow an attacker to perform privileged actions as the victim potentially resulting in account takeover, privilege escalation, or service disruption. |
| Multiple CSRF attack vectors in JDownloads component 1.0.0-4.0.47 for Joomla were discovered. |
| FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authorized solely by the session cookie without per-request anti-CSRF tokens or robust Origin/Referer validation. An attacker who can lure a logged-in user to an attacker-controlled page can cause that user to perform sensitive actions without their intent. This vulnerability is fixed with commit e3f130c. |
