Moodle 跨站请求伪造漏洞

Moodle is Moodle open source set of free e-learning software platform, also known as course management system, learning management system or virtual learning environment. Moodle suffers from a cross-site request forgery vulnerability that stems from the lack of an anti-cross-site request forgery...

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

Missing Authentication for Critical Function

Description Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email. when user changes the email address then the website sends verification mail to the new mail id...

No notification triggered on sensitive actions like 2FA enable/disable

Description 2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about Proof of Concept 1 Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 2 Do a...

Login Form Cross-Site Request Forgery

Cross Site Request Forgery CSRF occurs when an user is tricked into clicking on a link which would automatically submit a request without the user's consent. This can be made possible when the request does not include an anti-CSRF token, generated each time the request is visited and passed when...

WordPress Sygnoos Popup Builder Cross-Site Request Forgery Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in WordPress Sygnoos Popup Builder 4.1.11 and prior versions, which arises from a web applicatio...

CVE-2021-27759

This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application...

WordPress Pixel Cat plugin cross-site request forgery vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. Pixel Cat Plugin is a WordPress open source application plugin. WordPress Pixel Cat Plugins has a cross-site reques...

Airangel Hsmx Gateway Cross-Site Request Forgery Vulnerability

Airangel Hsmx Gateway is a platform from Airangel UK, Inc. used to manage authentication and billing in the network.A cross-site request forgery vulnerability exists in Airangel Hsmx Gateway prior to 5.2.04, which stems from a WEB application that does not adequately verify that the request is fr...

WordPress St-Daily-Tip plugin cross-site request forgery vulnerability

WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports personal blogging sites on PHP and MySQL servers. WordPress St-Daily-Tip plugin has a cross-site request spoofing vulnerability in version 4.7 and earlier, which stems from a...

WordPress Wechat Reward plugin cross-site request forgery vulnerability

WordPress is a set of blogging platform developed by the Wordpress Foundation using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in the WordPress Wechat Reward plugin in versions 1.7 and...

Cross-Site Request Forgery

Cross Site Request Forgery CSRF occurs when an authenticated user is tricked into clicking on a link which would automatically submit a request without the user's consent. This can be made possible when the request does not include an anti-CSRF token, generated each time the request is visited an...