Lucene search
K

13 matches found

CVE
CVE
added 2026/05/11 8:34 p.m.13 views

CVE-2026-43877

CVE-2026-43877 (WWBN/AVideo) : CSRF in objects/userSavePhoto.php allows a logged‑in user’s profile photo to be overwritten with arbitrary bytes via a crafted cross‑origin POST, due to missing CSRF protection (the endpoint does not use the .json.php suffix and is excluded from autoCSRFGuard), no t...

5.4CVSS5.9AI score0.00121EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/30 12:0 a.m.5 views

CVE-2026-36956

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

8.8CVSS5.4AI score0.00171EPSS
Exploits1References3
CVE
CVE
added 2026/04/21 7:54 p.m.21 views

CVE-2026-40909

WWBN AVideo (pre-29.0) contains a path traversal in locale/save.php that concatenates $_POST['flag'] into the target path and writes $_POST['code'] to that path via fwrite(), allowing an attacker with admin access or CSRF to write arbitrary PHP files outside locale/ and achieve Remote Code Execut...

8.7CVSS5.9AI score0.00656EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.14 views

PT-2026-26766

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $ REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

8.8CVSS6.7AI score0.00531EPSS
Exploits1References7
NVD
NVD
added 2025/11/17 4:15 a.m.7 views

CVE-2025-13283

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could...

7.1CVSS0.00203EPSS
Exploits0References2
CVE
CVE
added 2025/11/17 3:24 a.m.16 views

CVE-2025-13282

TenderDocTransfer (Chunghwa Telecom) exposes a combination of flaws: (1) an Absolute Path Traversal within one API that could allow deletion of arbitrary files on the user’s system, and (2) APIs with no CSRF protection, enabling unauthenticated remote attackers to trigger actions via phishing. Th...

8.1CVSS6.7AI score0.00227EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2025/10/29 12:0 a.m.5 views

PT-2025-44318

Name of the Vulnerable Software and Affected Versions BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5 Description A systemic lack of Cross-Site Request Forgery CSRF token implementation exists. This complete absence of CSRF protections in BLU-IC controllers allows for trivial...

10CVSS6.5AI score0.00155EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/27 6:30 a.m.6 views

EUVD-2025-36108

The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users...

5.4CVSS6.5AI score0.0013EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.11 views

EUVD-2021-11530

Malware in sbrugna...

5.4CVSS5.5AI score0.00374EPSS
Exploits2References2
Cvelist
Cvelist
added 2025/03/20 10:10 a.m.12 views

CVE-2024-8065 CSRF in danswer-ai/danswer

A Cross-Site Request Forgery CSRF vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among...

8.1CVSS0.00197EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2014/11/12 12:0 a.m.26 views

Lantronix xPrintServer Remote Command Execution / CSRF

Hi, The Lantronix xPrintServer is a small Linux powered print server for iOS. Main configuration happens through a web interface. The problem is that the configuration happens through some ‘RPC’ interface; the web interfaces uses AJAX requests to talk to a CGI script that simply executes shell...

0.6AI score
Exploits0
0day.today
0day.today
added 2012/12/05 12:0 a.m.37 views

ManageEngine MSPCentral 9 CSRF / Cross Site Scripting Vulnerability

ManageEngine MSPCentral version 9 suffers from cross site request forgery, insecure session cookies, and cross site scripting vulnerabilities. Multiple vulnerabilities in ManageEngine MSPCentral 9 ------------------------------------------------------------ Background ---------- At Kiwicon 6 in m...

6.8AI score
Exploits0
Packet Storm
Packet Storm
added 2012/12/04 12:0 a.m.43 views

ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting

-------------------------------------------------------------- REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY -------------------------------------------------------------- RA004: Multiple vulnerabilities in ManageEngi...

Exploits0
Rows per page
Query Builder