1834 matches found
PT-2022-27411 · Plesk · Plesk Obsidian
Name of the Vulnerable Software and Affected Versions: Plesk Obsidian Description: The issue allows a CSRF attack, for example, via the "/api/v2/cli/commands" REST API to change an Admin password. This affects Plesk Obsidian, which is a specific version of the Plesk product where versions are...
CVE-2022-45130
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names...
CVE-2022-30694
Summary: CVE-2022-30694 is a CSRF vulnerability in the Siemens web server login endpoint "/FormLogin" that can allow an authenticated attacker to track other users’ activities by bypassing origin checks. The issue affects multiple Siemens products including SIMATIC Drive Controllers, SIMATIC ET 2...
CVE-2022-2387
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack...
Cross site request forgery (csrf)
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack...
CVE-2022-20961
A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF...
CVE-2022-20961
A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF...
Showing URL in QR Code <= 0.0.1 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin or editor add Stored XSS payloads via a CSRF attack PoC Make a logged in editor or admin open a page with the below payload...
Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability
A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF...
Booster for WooCommerce - Checkout Files Deletion via CSRF
The plugins do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack PoC Requirements: - Enable the "Checkout File Upload" module of the plugin...
Appointment Hour Booking < 1.3.72 - Feedback Submission via CSRF
The plugin does not have CSRF check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a CSRF attack...
My wpdb < 2.5 - Arbitrary SQL Query via CSRF
The plugin is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack PoC...
Cross site request forgery (csrf)
The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack...
CVE-2022-3097 LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections...
CVE-2022-3097 LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections...
GHSA-G66M-FQXF-3W35 CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin
Pipeline: Input Step Plugin 451.vf1aa4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input step. This ID is used for the URLs that process user interactions for the given input step proceed or abort and is not correctly encoded. This allows attackers able to...
CVE-2022-23771 IPTIME NAS1DUAL CSRF Vulnerability
This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrar...
CVE-2022-3151 WP Custom Cursors < 3.0.1 - Arbitrary Cursor Deletion via CSRF
The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack...
PT-2022-20779 · WordPress · Wp Custom Cursors
Name of the Vulnerable Software and Affected Versions: WP Custom Cursors WordPress plugin versions prior to 3.0.1 Description: The issue concerns a lack of CSRF check when deleting cursors, potentially allowing attackers to trick logged-in admins into deleting arbitrary cursors via a CSRF attack...
Cross site request forgery (csrf)
The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack...