Search Results (9419 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-49655 1 Jenkins 1 Matlab 2025-02-13 8.8 High
A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.
CVE-2023-0480 1 Vitalpbx 1 Vitalpbx 2025-02-13 8.8 High
VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF.
CVE-2023-4047 3 Debian, Mozilla, Redhat 7 Debian Linux, Firefox, Enterprise Linux and 4 more 2025-02-13 8.8 High
A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.
CVE-2023-32344 2 Ibm, Netapp 2 Cognos Analytics, Oncommand Insight 2025-02-13 4.3 Medium
IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to form action hijacking where it is possible to modify the form action to reference an arbitrary path. IBM X-Force ID: 255898.
CVE-2021-26296 2 Apache, Netapp 2 Myfaces, Oncommand Insight 2025-02-13 7.5 High
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
CVE-2024-36669 1 Idccms Project 1 Idccms 2025-02-13 5.4 Medium
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/type_deal.php?mudi=add.
CVE-2024-36668 1 Idccms Project 1 Idccms 2025-02-13 5.4 Medium
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/type_deal.php?mudi=del
CVE-2024-36667 1 Idccms Project 1 Idccms 2025-02-13 8.8 High
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/idcProType_deal.php?mudi=add&nohrefStr=close
CVE-2024-36550 1 Idccms 1 Idccms 2025-02-13 8.8 High
idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/vpsCompany_deal.php?mudi=add&nohrefStr=close
CVE-2024-36549 1 Idccms 1 Idccms 2025-02-13 8.8 High
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/vpsCompany_deal.php?mudi=rev&nohrefStr=close
CVE-2024-36548 2 Idccms, Idccms Project 2 Idccms, Idccms 2025-02-13 5.4 Medium
idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/vpsCompany_deal.php?mudi=del
CVE-2024-36547 1 Idccms 1 Idccms 2025-02-13 8.8 High
idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/vpsClass_deal.php?mudi=add
CVE-2023-2552 1 Bumsys Project 1 Bumsys 2025-02-12 8.8 High
Cross-Site Request Forgery (CSRF) in GitHub repository unilogies/bumsys prior to 2.1.1.
CVE-2020-19803 1 Doyocms Project 1 Doyocms 2025-02-11 8.8 High
Cross Site Request Forgery vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the background system settings.
CVE-2023-25411 1 Aten 2 Pe8108, Pe8108 Firmware 2025-02-11 4.3 Medium
Aten PE8108 2.4.232 is vulnerable to Cross Site Request Forgery (CSRF).
CVE-2024-48962 1 Apache 1 Ofbiz 2025-02-11 8.8 High
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
CVE-2023-28848 1 Nextcloud 1 User Oidc 2025-02-11 4.8 Medium
user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.
CVE-2023-27520 1 Epson 240 Esifnw1, Esifnw1 Firmware, Esnsb1 and 237 more 2025-02-10 6.5 Medium
Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor.
CVE-2023-29003 1 Svelte 1 Sveltekit 2025-02-10 8.8 High
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request.
CVE-2024-2449 1 Progress 1 Loadmaster 2025-02-10 7.5 High
A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.