Export limit exceeded: 13909 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9944 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5034 | 1 Toolstack | 1 Sully | 2025-05-02 | 8.8 High |
| The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | ||||
| CVE-2006-5175 | 1 Buffalo-technology | 1 Terastation Hd-htgl Firmware | 2025-05-02 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors. | ||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2025-05-01 | 4.3 Medium |
| The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | ||||
| CVE-2022-3537 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2025-05-01 | 8.8 High |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP | ||||
| CVE-2022-3536 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2025-05-01 | 8.8 High |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog | ||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | 5.3 Medium |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | ||||
| CVE-2022-43031 | 1 Dedecms | 1 Dedecms | 2025-05-01 | 8.8 High |
| DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords. | ||||
| CVE-2023-7202 | 1 Verygoodplugins | 1 Fatal Error Notify | 2025-05-01 | 6.1 Medium |
| The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF | ||||
| CVE-2024-42586 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) in the component categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | ||||
| CVE-2024-42585 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) in the component delete_media.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | ||||
| CVE-2024-42578 | 2 Oswapp, Siamonhasan | 2 Warehouse Inventory System, Warehouse Inventory System | 2025-05-01 | 8 High |
| A Cross-Site Request Forgery (CSRF) in the component edit_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | ||||
| CVE-2024-42576 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) in the component edit_categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | ||||
| CVE-2022-45130 | 1 Plesk | 1 Obsidian | 2025-05-01 | 6.5 Medium |
| Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers. | ||||
| CVE-2024-4529 | 1 Esterox | 1 Business Card | 2025-05-01 | 5.0 Medium |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks | ||||
| CVE-2024-4530 | 1 Esterox | 1 Business Card | 2025-05-01 | 6.3 Medium |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks | ||||
| CVE-2024-4531 | 1 Esterox | 1 Business Card | 2025-05-01 | 7.1 High |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks | ||||
| CVE-2024-4532 | 1 Esterox | 1 Business Card | 2025-05-01 | 6.4 Medium |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks | ||||
| CVE-2021-22884 | 6 Fedoraproject, Netapp, Nodejs and 3 more | 16 Fedora, Active Iq Unified Manager, E-series Performance Analyzer and 13 more | 2025-04-30 | 7.5 High |
| Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. | ||||
| CVE-2021-25931 | 1 Opennms | 2 Horizon, Meridian | 2025-04-30 | 8.8 High |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website. | ||||
| CVE-2021-25930 | 1 Opennms | 2 Horizon, Meridian | 2025-04-30 | 4.3 Medium |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list. | ||||