lasTunes <= 3.6.1 - Settings Update via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC...

Auto Login New User After Registration <= 1.9.6 - Stored XSS via CSRF

Description The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

Progress Software WS_FTP Server Cross-Site Request Forgery Vulnerability

Progress Software WSFTP Server is an effective and highly manageable FTP server from Progress Software, Inc. A cross-site request forgery vulnerability exists in Progress Software WSFTP Server versions prior to 8.8.2, which stems from a lack of cross-site request forgery CSRF protection...

WordPress plugin WP Shopping Pages 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

Mantenimiento web < 0.14 - Stored XSS via CSRF

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2022-0403

The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues CVE-2021-32682, and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users,...

Cross site request forgery (csrf)

The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access t...

PT-2021-16273 · WordPress · Wp Debugging

Name of the Vulnerable Software and Affected Versions: WP Debugging WordPress plugin versions prior to 2.11.0 Description: The issue concerns the update settings function, which is hooked to admin init and lacks authorization and CSRF checks. This allows settings to be updated by unauthenticated...

GHSA-GJWP-7V3G-99PJ Cross-site Request Forgery (CSRF) in joplin

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF checks in various forms...

Cross-site Request Forgery (CSRF) in joplin

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF checks in various forms...

CVE-2021-23431 Cross-site Request Forgery (CSRF)

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF checks in various forms...

CVE-2021-24388

In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page,...

Machform Cross-Site Request Forgery Vulnerability

MachForm is an HTML form builder that lets you create contact forms, surveys, order forms or any other web form without writing code. A cross-site request forgery CSRF vulnerability exists in versions prior to Machform 16. The vulnerability stems from a missing CSRF token. An attacker can exploit...

UBUNTU-CVE-2020-36191

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an xsrf field, as demonstrated by a /hub/api/user request to add or remove a user account...

U.S. Dept Of Defense: CSRF - Modify Company Info

Target Url ███/services/user/manageAccountCompany Summary: Similar to███████, but on different endpoint. The application is missing CSRF Token on Editing company info endpoint. This lead to CSRF attack. Bypassing Content-Type The application is just accepting Content-Type as application/json. Thi...

CVE-2019-13086

core/MYSecurity.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrfcsz parameter...

idreamsoft iCMS Cross-Site Request Forgery Vulnerability (CNVD-2018-19090)

idreamsoft iCMS is an open source content management system CMS based on PHP and MySQL. A cross-site request forgery vulnerability exists in the admincp.php file in version 7.0.11 of idreamsoft iCMS. The vulnerability stems from the detection of CSRFTOKEN when it does not exist, and the program...

CVE-2017-9934

Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability...

Kimai.org Cross Site Request Forgery

Affected software: http://kimai.org Type of vulnerability: csrf URL: http://demo.kimai.org Discovered by: Provensec Website: http://www.provensec.com Description: csrf vulnerability in status edit mechanism due to no csrf token Proof of concept:...

ProActive CMS XSS / CSRF / Open Redirect

Exploit Title: ProActive CMS Multiple Vulnerabilities Google Dork: intext:"Powered by Proactive CMS" Exploit Author: Rafay Baloch Vendor Homepage: http://www.proactivecms.com Tested on: Linux Stored Cross Site Scripting: http://professional.inbusiness.com.au/admin.php?action=newuser Insert Your...