25 matches found
CVE-2026-38566
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...
EUVD-2026-29114
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...
CVE-2026-38566
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...
CVE-2026-38566
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...
CVE-2026-38566
CVE-2026-38566 affects HireFlow v1.2. The issue is CSRF on all state-changing POST endpoints (e.g., /profile password change, /candidates/delete/, /feedback/add/, /interviews/add) due to missing CSRF token validation and no SESSION_COOKIE_SAMESITE configuration. Root cause: CSRF token validation ...
PT-2026-39654
Name of the Vulnerable Software and Affected Versions HireFlow version 1.2 Description The software fails to implement Cross-Site Request Forgery CSRF token validation on state-changing POST endpoints. This allows an attacker to trick an authenticated user into visiting a malicious page to perfor...
WordPress plugin WDesignKit 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
CVE-2023-27460 WordPress CP Contact Form with PayPal plugin <= 1.3.34 - Missing Authorization Leading To Feedback Submission vulnerability
Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34...
CVE-2023-26521 WordPress Search in Place plugin <= 1.0.104 - Missing Authorization Leading To Feedback Submission vulnerability
Missing Authorization vulnerability in CodePeople Search in Place allows Functionality Misuse.This issue affects Search in Place: from n/a through 1.0.104...
User Feedback < 1.0.14 - Unauthenticated Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'pagesubmitted' 'link' value due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execu...
CVE-2024-0903
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagesubmitted' 'link' value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping...
CVE-2024-22455
Dell Mobility - E-Lab Navigator, versions 3.1.9, 3.2.0, contains an Authorization Bypass Through User-Controlled Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Launch of phishing attacks...
Design/Logic Flaw
Dell E-Lab Navigator, 3.1.9, 3.2.0, contains an Insecure Direct Object Reference Vulnerability in Feedback submission. An attacker could potentially exploit this vulnerability, to manipulate the email's appearance, potentially deceiving recipients and causing reputational and security risks...
CVE-2024-22455
Dell Mobility - E-Lab Navigator, versions 3.1.9, 3.2.0, contains an Authorization Bypass Through User-Controlled Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Launch of phishing attacks...
CVE-2024-22455
Dell Mobility - E-Lab Navigator, versions 3.1.9, 3.2.0, contains an Authorization Bypass Through User-Controlled Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Launch of phishing attacks...
CVE-2024-22455
Dell Mobility - E-Lab Navigator (versions 3.1.9 and 3.2.0) contains an Authorization Bypass Through User-Controlled Key vulnerability. Multiple connected sources describe an Insecure Direct Object Reference in Feedback submission that could allow an unauthenticated, locally positioned attacker to...
PT-2024-19434 · Dell · Dell Mobility - E-Lab Navigator
Name of the Vulnerable Software and Affected Versions: Dell Mobility - E-Lab Navigator versions 3.1.9 through 3.2.0 Description: The issue allows an unauthenticated attacker with local access to potentially exploit the vulnerability, leading to the launch of phishing attacks. It is related to an...
WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability
Missing Authorization vulnerability leading to Feedback Submission discovered by Lana Codes Patchstack Alliance in the WordPress Appointment Booking Calendar plugin versions = 1.3.69. Solution Update the WordPress Appointment Booking Calendar plugin to the latest available version at least 1.3.70...
Appointment Booking Calendar < 1.3.70 - Feedback Submission via CSRF
The plugin does not have CSRF check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a CSRF attack...
Appointment Hour Booking < 1.3.72 - Feedback Submission via CSRF
The plugin does not have CSRF check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a CSRF attack...