Export limit exceeded: 13714 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9130 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13177 | 2 Bdtask, Codecanyon | 2 Saleserp, Saleserp | 2025-11-24 | 4.3 Medium |
| A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-13179 | 1 Bdtask | 2 Wholesale, Wholesale Inventory Control And Inventory Management System | 2025-11-24 | 4.3 Medium |
| A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63955 | 1 Phpgurukul | 1 Student Record System | 2025-11-20 | 7.5 High |
| A Cross-Site Request Forgery (CSRF) vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of Service (DoS). | ||||
| CVE-2025-63712 | 2 Senior-walter, Sourcecodester | 2 Web-based Pharmacy Product Management System, Product Expiry Management System | 2025-11-18 | 4.5 Medium |
| Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the endpoint relies solely on session cookies and lacks CSRF protection. | ||||
| CVE-2025-63717 | 2 Mayurik, Sourcecodester | 2 Pet Grooming Management Software, Pet Grooming Management Software | 2025-11-17 | 6.5 Medium |
| The change password functionality at /pet_grooming/admin/change_pass.php in SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. The application does not implement adequate anti-CSRF tokens or same-site cookie restrictions, allowing attackers to trick authenticated users into unknowingly changing their passwords. | ||||
| CVE-2025-63716 | 2 Rems, Sourcecodester | 2 Leads Manager Tool, Leads Manager Tool | 2025-11-17 | 6.5 Medium |
| The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or same-origin verification for critical endpoints. | ||||
| CVE-2023-53688 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 5.4 Medium |
| Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform unwanted actions. | ||||
| CVE-2025-63710 | 2 Pijey, Sourcecodester | 2 Simple Public Chat Room, Simple Public Chat Room | 2025-11-17 | 6.5 Medium |
| The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room. | ||||
| CVE-2025-63711 | 2 Lerouxyxchire, Sourcecodester | 2 Client Database Management System, Client Database Management System | 2025-11-17 | 7.1 High |
| A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts. | ||||
| CVE-2025-13119 | 3 Fabian, Fabianros, Sourcecodester | 3 Simple E-banking System, Simple E-banking System, Simple Cafe Billing System | 2025-11-17 | 4.3 Medium |
| A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-58469 | 1 Qnap | 1 Qulog Center | 2025-11-14 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.927 ( 2025/09/17 ) and later | ||||
| CVE-2024-53829 | 1 Ericsson | 1 Codechecker | 2025-11-14 | 8.2 High |
| CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions, including but not limited to adding, removing or editing products. The attacker needs to know the ID of the available products to modify or delete them. The attacker cannot directly exfiltrate data (view) from CodeChecker, due to being limited to form-based CSRF. This issue affects CodeChecker: through 6.24.4. | ||||
| CVE-2023-7297 | 1 Reneade | 1 Twitterposts | 2025-11-13 | 3.5 Low |
| The TwitterPosts WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2025-5732 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-35475 | 1 Openkm | 1 Openkm | 2025-11-12 | 6.4 Medium |
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in /admin/DatabaseQuery, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands. | ||||
| CVE-2025-62258 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-11-10 | 6.5 Medium |
| CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter. | ||||
| CVE-2020-10181 | 1 Sumavision | 2 Enhanced Multimedia Router, Enhanced Multimedia Router Firmware | 2025-11-07 | 9.8 Critical |
| goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request. | ||||
| CVE-2025-12479 | 2 Azure-access, Azure Access Technology | 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more | 2025-11-07 | 8.8 High |
| Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . | ||||
| CVE-2025-12221 | 3 Azure-access, Azure Access Technology, Busybox | 7 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 4 more | 2025-11-07 | 8.8 High |
| Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | ||||
| CVE-2023-4959 | 1 Redhat | 1 Quay | 2025-11-07 | 6.5 Medium |
| A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges). | ||||