CVE-2014-8305

Open redirect vulnerability in the redir function in includes/function.php in C97net Cart Engine before 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header to 1 index.php, 2 cart.php, 3 msg.php, or 4 page.php...

CVE-2025-46721 nosurf vulnerable to CSRF due to non-functional same-origin request checks

nosurf is cross-site request forgery CSRF protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass CSRF checks and issue requests on user's behal...

CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

DEBIAN-CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

UBUNTU-CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

BIT-DOLIBARR-2020-9016

Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header...

The vulnerability of the 3DSecure (3DS2) protocol, related to the manipulation of inter-site requests, allows a perpetrator to carry out a CSRF attack.

The vulnerability of the 3DSecure 3DS2 protocol is related to the manipulation of inter-site requests. Exploiting this vulnerability allows a malicious actor to perform a CSRF attack by altering the HTTP headers Origin and Referer...

The vulnerability of TP-Link TL-WR840N router’s microprogramming software, related to deficiencies in authentication procedures, allows attackers to circumvent existing security restrictions.

The vulnerability of TP-Link TL-WR840N router’s microprogramming software is related to deficiencies in authentication procedures. Exploiting this vulnerability allows a malicious actor to circumvent existing security restrictions by sending a specially crafted request with the Referer header set...

The vulnerability of TP-Link Archer c20 router’s microprogramming software, related to deficiencies in authentication procedures, allows attackers to circumvent existing security restrictions.

The vulnerability of TP-Link Archer c20 router’s microprogramming software is related to deficiencies in authentication procedures. Exploiting this vulnerability allows a malicious actor to circumvent existing security restrictions by adding the parameter “Referer: http://tplinkwifi.net” to the...

CVE-2024-57050

A vulnerability in the TP-Link WR840N v6 router with firmware version 0.9.1 4.16 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory.When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing th...

CVE-2024-57049

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing...

CVE-2024-57049

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing...

TP-LINK Archer C20 安全漏洞

TP-LINK Archer C20 is a router from China P&L TP-LINK. A security vulnerability exists in TP-LINK Archer C20 version V6.6230412 and prior versions. An attacker exploiting this vulnerability could add Referer: http://tplinkwifi.net to a request to be recognized as authenticated...

PT-2025-6736

Name of the Vulnerable Software and Affected Versions TP-Link Archer C20 router versions V6.6 230412 and earlier Description A vulnerability in the TP-Link Archer C20 router permits unauthorized individuals to bypass the authentication of some interfaces under the /CGI directory. By adding a...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Referer HTTP header due to improper sanitization. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website...

CVE-2024-56517 LGSL has a reflected XSS at /lgsl_files/lgsl_list.php

LGSL Live Game Server List provides online status lists for online video games. Versions up to and including 6.2.1 contain a reflected cross-site scripting vulnerability in the Referer HTTP header. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the...

PT-2024-36827 · Lgsl · Lgsl

Name of the Vulnerable Software and Affected Versions: LGSL Live Game Server List versions up to and including 6.2.1 Description: The issue is related to a reflected cross-site scripting vulnerability in the Referer HTTP header. This vulnerability allows attackers to inject arbitrary JavaScript...

pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API

Summary The folder /.pyload/scripts has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such...

WordPress Ninja Forms Contact Form plugin <= 3.8.15 - Reflected Self-Based Cross-Site Scripting via Referer vulnerability

Reflected Self-Based Cross-Site Scripting via Referer vulnerability discovered by wesley wcraft in WordPress Plugin Ninja Forms versions = 3.8.15...

CVE-2024-3866

The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...