CVE-2026-34403

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens...

EUVD-2023-0689

Malicious code in bioql PyPI...

CVE-2021-24714

The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed...

Kashipara E-learning Management System 安全漏洞

Kashipara E-learning Management System is a learning management system from Kashipara Inc. A security vulnerability exists in Kashipara E-learning Management System version 1.0 that stems from vulnerability to a stored cross-site scripting attack, which allows remote attackers to execute arbitrar...

SUSE CVE-2024-1727

A Cross-Site Request Forgery CSRF vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete...

CVE-2021-4399

The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the userdatasynchronizationinitiater, coursesynchronizationinitiater, userslinktomoodlesynchronization,...

quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure

A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to /, then a cross-site attack may be initiated, which might lead to information disclosure...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

Design/Logic Flaw

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2023-0044

CVE-2023-0044 concerns Quarkus Form Authentication: if the session cookie Path is set to “/”, a cross-site attack may disclose information. The issue is described across multiple sources tied to Quarkus advisories (Red Hat RHSA entries and IBM/OSV records) and is mitigated by the Quarkus CSRF Pre...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2022-47130

A Cross-Site Request Forgery CSRF in Academy LMS before v5.10 allows a discount coupon to be arbitrarily created if an attacker with administrative privileges interacts on the CSRF page...

CVE-2023-0044

A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to /, then a cross-site attack may be initiated, which might lead to information disclosure. Mitigation This attack can be prevented with the Quarkus CSRF Prevention feature...

Discourse Cross-Site Scripting Vulnerability

Discourse is an open source community discussion platform. The platform includes features such as community, email and chat rooms. A cross-site scripting vulnerability exists in Discourse version 2.8.10 and earlier, 2.9.0.beta11 and earlier, which can be exploited by attackers to inject malicious...

PT-2022-5005 · Hitachi Energy · Hitachi Energy Msm

Name of the Vulnerable Software and Affected Versions: Hitachi Energy MSM versions V2.2 and prior Description: A vulnerability exists in the HTTP web interface where it does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted th...

Google Android Input Validation Error Vulnerability (CNVD-2022-13210)

Google Android is a Linux-based open source operating system from Google, Inc. Google Android is vulnerable to an input validation error that could be exploited by attackers to trigger a cross-site attack on a victim's device...

Google Android 跨站脚本漏洞

Google Android is a Linux-based open source operating system from Google, Inc. Google Android is vulnerable to an input validation error that could be exploited by attackers to trigger a cross-site attack on a victim's device...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description Attacker is able to delete any file on the server if logged in user visits attacker website. 🕵️‍♂️ Proof of Concept Create a test.txt file under /home/user when you logged in open this POC.html in a browser you can check test.txt deletes. //PoC.html history.pushState'', '', '/'...

Couchbase Server Cross-Site Request Forgery Vulnerability

Couchbase Server is a distributed open source NoSQL non-relational database from the U.S. company Couchbase , which mainly supports data query , full-text search and active global replication and other functions . A cross-site request forgery vulnerability exists in Couchbase Server version 6.0. ...