CVE-2025-53895

ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission chec...

CVE-2025-53895 ZITADEL has broken authN and authZ in session API and resulting session tokens

ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission chec...

PT-2025-27663 · Ns3000 +1 · Ns3000 +1

Name of the Vulnerable Software and Affected Versions: NS3000 versions 7.x through 8.1.1.125110 NS2000 version 7.02.08 Description: The issue is related to missing authentication checks in the "query.fcgi" endpoint, which allows attackers to execute a session hijacking attack. Recommendations: Fo...

CVE-2021-20851

CVE-2021-20851 affects the WordPress plugin Browser and Operating System Finder (versions prior to 1.2). The vulnerability is a CSRF flaw in the plugin that can allow an administrator, when viewing a malicious page while logged in, to perform unintended actions, possibly hijacking the admin’s ses...

CVE-2018-8814

WolfCMS 0.8.3.1 is affected by CVE-2018-8814: a Cross-site request forgery (CSRF) vulnerability that allows an attacker to hijack user authentication for requests that modify plugin/[pluginname]/settings. The issue arises in WolfCMS before 0.8.3.1 and can be triggered by crafting malicious reques...

OpenCMS 10.5.3 - Cross-Site Request Forgery

Exploit Title: OpenCMS 10.5.3 Multiple Cross Site Request Forgery Vulnerabilities Injection Google Dork: N/A Date: 02-04-2018 Exploit Author: Sureshbabu Narvaneni Author Blog : http://nullnews.in Vendor Homepage: http://www.opencms.org/en/ Software Link:...

CVE-2012-0699

Multiple cross-site request forgery CSRF vulnerabilities in Family Connections CMS aka FCMS 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that 1 add news via an add action to familynews.php or 2 add a prayer via an add action to prayers.php...

CVE-2016-2889

The CVE-2016-2889 entry concerns a CSRF vulnerability in IBM Jazz Reporting Service (JRS) affecting Report Builder and Data Collection Component (DCC). Affected products/versions include Jazz Reporting Service 5.0, 5.0.1, 5.0.2 and 6.0, as well as 6.0.1 before their respective fixes, with Jazz Re...

CVE-2016-1168

CVE-2016-1168 affects NEC Aterm WF800HP devices with firmware version 1.0.17 and earlier. The vulnerability is a Cross-site Request Forgery (CSRF) that can allow a logged-in user to be coerced into performing unintended actions when visiting a malicious page, potentially hijacking the user’s auth...

CVE-2015-2134

Cross-site request forgery CSRF vulnerability in HP System Management Homepage SMH before 7.5.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors...

CVE-2015-3388

CVE-2015-3388 affects Drupal’s Commerce Balanced Payments module. A CSRF flaw allows an attacker to hijack a user’s session to trigger requests that delete the user’s configured bank accounts via unspecified vectors. Public advisories indicate CSRF (and related XSS) in Commerce Balanced Payments ...

CVE-2014-6214

IBM WebSphere Portal is affected by a CSRF/XSRF vulnerability in versions 8.0.0.x before 8.0.0.1 CF15 and 8.5.0 before CF05, allowing remote attackers to hijack user authentication for requests that insert XSS sequences. The issue stems from improper validation of user-supplied input, enabling au...

CVE-2015-2089

CVE-2015-2089 concerns the CrossSlide jQuery plugin for WordPress (version 2.0.5 and earlier). The vulnerability arises from CSRF flaws in the plugin’s admin flow: parameters such as csj_width, csj_height, csj_sleep, csj_fade, and upload_image pass through the thisismyurl_csj.php page to wp-admin...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in PHPJabbers Event Booking Calendar 2.0 allow remote attackers to hijack the authentication of administrators for requests that 1 change the username and password of the administrator via an update action to the AdminOptions controller or...

CVE-2014-9407

Summary: CVE-2014-9407 affects Revive Adserver prior to 3.0.5, where multiple cross-site request forgery (CSRF) vulnerabilities allow remote attackers to hijack administrators’ authenticated sessions and trigger privileged actions. Affected endpoints include admin/ scripts such as agency-delete.p...

CVE-2014-9027

Multiple cross-site request forgery CSRF vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that disable modem lan ports via the 1 enblftp, 2 enblhttp, 3 enblsnmp, 4 enbltelnet, 5 enbltftp, 6 enblicmp, or 7 enblssh parameter to...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests...

CVE-2013-4963

Multiple cross-site request forgery CSRF vulnerabilities in Puppet Enterprise PE before 3.0.1 allow remote attackers to hijack the authentication of users for requests that deleting a 1 report, 2 group, or 3 class or possibly have other unspecified impact...

CVE-2013-7209

The CVE-2013-7209 entry concerns JForum (Java-based forum) with a CSRF flaw in the Admin module, specifically admBase/login.page. The vulnerability affects the adminUsers/group permissions flow via the groupsSave action, enabling an attacker to hijack an administrator’s session and cause arbitrar...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in RiteCMS 1.0.0 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via an edit user action to cms/index.php...