774 matches found
CVE-2024-50857
The ipdojob request in GestioIP v3.5.7 is vulnerable to Cross-Site Scripting XSS. It allows data exfiltration and enables CSRF attacks. The vulnerability requires specific user permissions within the application to exploit successfully...
CVE-2024-50861
The ipmoddnskeyform.cgi request in GestioIP v3.5.7 is vulnerable to Stored XSS. An attacker can inject malicious code into the "TSIG Key" field, which is saved in the database and triggers XSS when viewed, enabling data exfiltration and CSRF attacks...
CVE-2024-51488
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users delete messages. This vulnerability could be exploited to forge CSRF attacks, allowing an attacker to delete messages to any...
CVE-2023-4013
The GDPR Cookie Compliance CCPA, DSGVO, Cookie Consent WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks...
CVE-2023-3547
The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks...
CVE-2023-2628
The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks either flawed or missing completely in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary...
CVE-2022-2839
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them t...
CVE-2022-24947
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later...
CVE-2022-2276
The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog...
CVE-2021-29624
fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service...
CVE-2020-35626
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php...
CVE-2020-23426
zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF...
CVE-2018-19911
FreeSWITCH through 1.8.2, when modxmlrpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system or api/bgsystem or txtapi/bgsystem query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF...
CVE-2019-0235
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks...
CVE-2018-20872
DrayTek routers before 2018-05-23 allow CSRF attacks to change DNS or DHCP settings, a related issue to CVE-2017-11649...
CVE-2024-8286 GDPR Cookie Consent <= 2.6.0 - Bulk Delete via CSRF
The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks...
CVE-2024-6712 MapFig Studio <= 0.2.1 - Stored XSS via CSRF
The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-12301 JSP Store Locator <= 1.0 - Deletion via Missing CSRF
The JSP Store Locator WordPress plugin through 1.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
CVE-2024-11719
The CVE-2024-11719 entry concerns the tarteaucitron-wp WordPress plugin prior to version 0.3.0, which lacks CSRF checks in certain areas and omits sanitisation and escaping. This could allow a logged-in attacker to trigger a Stored XSS payload via a CSRF attack. The issue is documented across mul...
PT-2025-21518 · Unknown · Webtoffee-Gdpr-Cookie-Consent
Name of the Vulnerable Software and Affected Versions: webtoffee-gdpr-cookie-consent versions prior to 2.6.1 Description: The issue concerns the lack of CSRF checks in some bulk actions, which could allow attackers to make logged-in admins perform unwanted actions, such as deleting visit logs via...