EUVD-2026-31889

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...

Joomla! CMS 跨站请求伪造漏洞

Joomla! CMS is a content management system developed under the open source Joomla! framework. Joomla! CMS has a cross-site request forgeing vulnerability, which stems from the lack of CSRF token validation. This vulnerability may lead to cross-site request forgeing attacks at the comusers...

Concrete CMS 跨站请求伪造漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier had a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of validation of CSRF tokens, which could allow attackers to overwrite PHP files...

GHSA-9QV9-8XV6-5P35 phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

Summary The password reset API can be triggered without authentication and without any out-of-band confirmation step. If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and...

EUVD-2018-21847

Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modi...

Improper Authentication

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Improper Authentication in the handleIntrospectionRequest and handleRevocationRequest functions. An attacker can gain unauthorized...

GHSA-G3MX-8JM6-RC85 Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php

Reported by: Juan Felipe Oz @JF0x0r LinkedIn Summary The delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations —...

Desdev DedeCMS Cross-Site Request Forgery Vulnerability

Desdev DedeCMS Dream Weaving Content Management System is a PHP-based open-source content management system CMS of China Zhuozhuo network Desdev company. The system has content publishing, content management, content editing and content retrieval functions. A cross-site request forgery...

CVE-2022-2133

The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address...

Webmin 跨站请求伪造漏洞

Webmin is a set of Web-based system administration tools for Unix-like operating systems from the Webmin community.A cross-site request forgery vulnerability exists in Webmin version 1.973, which stems from the lack of token validation for cross-site request forgery in the file management...

Wiki Scratch -confirmaccount-v3 跨站请求伪造漏洞

Wiki Scratch -confirmaccount-v3 is a software application. Wiki Scratch -confirmaccount-v3 suffers from a cross-site request forgery vulnerability that stems from the software's lack of validation for cross-site request forgery tokens. An attacker could use this vulnerability to modify an account...

ZZCMS 跨站请求伪造漏洞

ZZCMS is a content management system CMS by China Zzcms team. ZZZCMS V1.7.1 suffers from a cross-site request forgery vulnerability, which stems from the lack of token validation for cross-site request forgery in the saveuser function in save.php...

Cross-site scripting and cross-site request forgery vulnerabilities in metinfo

metinfo cms is an enterprise website management system with PHP Mysql architecture. There are cross-site scripting and cross-site request forgery vulnerabilities in metinfo. metinfocms "background settings-basic information-third-party code" form does not have token validation and effective...