PT-2022-21089 · WordPress · Simple File List

Name of the Vulnerable Software and Affected Versions: Simple File List WordPress plugin versions prior to 4.4.12 Description: The issue concerns the lack of nonce checks in the Simple File List WordPress plugin, which could allow attackers to perform a CSRF attack. This attack could enable...

PT-2022-5101 · Cisco · Cisco Expressway Series +1

Name of the Vulnerable Software and Affected Versions: Cisco Expressway Series and Cisco TelePresence VCS affected versions not specified Description: The issue is related to a cross-site request forgery CSRF attack. It is caused by insufficient CSRF protections for the web-based management...

CVE-2022-39268

Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...

Design/Logic Flaw

Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...

CVE-2022-39268 orchest vulnerable to cross-site request forgery that allows control of a user instance

Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...

CVE-2022-39268

CVE-2022-39268 affects Orchest, specifically the auth-server component. The vulnerability is a Cross‑Site Request Forgery (CSRF) issue where an attacker tricks an innocent user into submitting unintended requests, potentially leaking data or altering session state or user accounts. A fix is avail...

CVE-2022-3098 Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF

The Login Block IPs WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2022-3025 Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF

The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scriptin...

Cross-site Request Forgery (CSRF)

rdiffweb is vulnerable to cross-site request forgery. The vulnerability exists in renderprefspanel function in prefnotification.py because the server accepts the GET request that is sent to modify repository notifications settings which allows an attacker to disable the notifications sent to user...

PT-2022-4908 · Jenkins · Jenkins Security Inspector Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Security Inspector Plugin versions 117.v6eecc36919c2 and earlier Description: The issue is related to insufficient authentication of executed POST requests, allowing a remote attacker to perform a cross-site request forgery CSRF attac...

PT-2022-25747 · Jenkins · Jenkins Build-Publisher Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Build-Publisher Plugin versions 1.22 and earlier Description: The issue allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to...

WordPress plugin WordPress Ping Optimizer 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...

CVE-2022-32555

Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have an Anti-CSRF token to authenticate the POST request. Thus, a cross-site request forgery attack could occur...

PT-2022-23185 · Unknown · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 13.10.5 and 14.3 Description: The issue allows for a Cross-Site Request Forgery CSRF attack, enabling the addition or removal of tags on XWiki pages. Recommendations: For versions prior to 13.10.5, update to...

Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Make a logged in admin open a page containing the HTML code below...

Attacker can turn off 2FA of the Admin

Description The attacker can turn off the 2FA of the admin by performing the CSRF attack Steps to reproduce Step 1: Login as admin on the demo product and navigate to https://demo.corebos.com/index.php?module=Utilities&action=integration&op=getconfig2fa&userlist=1 Step 2: Turn on the 2FA and clos...

Captcha Code < 2.8 - Settings Update via CSRF

The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack...

Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS

The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Open a page...

ResMed: [shop.resmed.com]CSRF leads to Unsubscribe victim from Communication and Reward Membership

Hello, Team While testing on your main domain I discovered CSRF Attack which lead to unsubscribe victims from Communication/Reward Membership. This more like in-depth security issue with reasonable attack scenario. Description: It is possible to unsubscribe a logged-in user from any subscribed...

SEO Scout <= 0.9.83 - Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...