6 matches found
CVE-2026-41194
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...
EUVD-2026-24225
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...
CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...
CVE-2026-41194
FreeScout before 1.8.215 exposes a GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider} action that removes stored OAuth metadata without CSRF protection, enabling cross-site triggering against a logged-in mailbox admin. Root cause: GET route lacks CSRF token validation. Impact: potential unaut...
CVE-2026-3903
The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth function. This makes it possible for unauthenticated attacker...
CVE-2026-3903
CVE-2026-3903 concerns the Modular DS: Monitor, update, and backup multiple websites plugin for WordPress (Modular Connector