Total
9126 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-0522 | 1 Enable\/disable Auto Login When Register Project | 1 Enable\/disable Auto Login When Register | 2025-02-04 | 6.5 Medium |
| The Enable/Disable Auto Login when Register WordPress plugin through 1.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-2951 | 1 Metagauss | 1 Registrationmagic | 2025-02-04 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic.This issue affects RegistrationMagic: from n/a through 5.3.0.0. | ||||
| CVE-2023-29020 | 1 Fastify | 1 Passport | 2025-02-04 | 6.5 Medium |
| @fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport` in affected versions, can be bypassed by network and same-site attackers. `fastify/csrf-protection` implements the synchronizer token pattern (using plugins `@fastify/session` and `@fastify/secure-session`) by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of `@fastify/passport` include the configuration options: `clearSessionOnLogin (default: true)` and `clearSessionIgnoreFields (default: ['passport', 'session'])` to clear all the session attributes by default, preserving those explicitly defined in `clearSessionIgnoreFields`. | ||||
| CVE-2023-1414 | 1 Rextheme | 1 Wp Vr | 2025-02-04 | 4.3 Medium |
| The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours | ||||
| CVE-2023-26839 | 1 Churchcrm | 1 Churchcrm | 2025-02-04 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site. | ||||
| CVE-2022-40724 | 1 Pingidentity | 1 Pingfederate | 2025-02-04 | 6.4 Medium |
| The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. | ||||
| CVE-2023-26841 | 1 Churchcrm | 1 Churchcrm | 2025-02-03 | 6.5 Medium |
| A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in. | ||||
| CVE-2023-26840 | 1 Churchcrm | 1 Churchcrm | 2025-02-03 | 5.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator. | ||||
| CVE-2024-30455 | 1 Gamipress | 1 Gamipress | 2025-01-31 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in GamiPress.This issue affects GamiPress: from n/a through 6.8.5. | ||||
| CVE-2023-2307 | 1 Builder | 1 Qwik | 2025-01-31 | 4.7 Medium |
| Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. | ||||
| CVE-2022-2432 | 1 Lightspeedhq | 1 Ecwid Ecommerce Shopping Cart | 2025-01-31 | 8.8 High |
| The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.10.23. This is due to missing or incorrect nonce validation on the ecwid_update_plugin_params function. This makes it possible for unauthenticated attackers to update plugin options granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-33359 | 1 Piwigo | 1 Piwigo | 2025-01-31 | 4.3 Medium |
| Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function. | ||||
| CVE-2024-31932 | 1 Creativethemes | 1 Blocksy Companion | 2025-01-31 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy Companion.This issue affects Blocksy Companion: from n/a through 2.0.28. | ||||
| CVE-2023-38739 | 1 Ibm | 1 Sterling B2b Integrator | 2025-01-31 | 4.3 Medium |
| IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | ||||
| CVE-2023-29815 | 1 Chshcms | 1 Mccms | 2025-01-30 | 8.8 High |
| mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF). | ||||
| CVE-2023-1965 | 1 Gitlab | 1 Gitlab | 2025-01-29 | 6.8 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default. | ||||
| CVE-2020-22334 | 1 Beescms | 1 Beescms | 2025-01-29 | 6.5 Medium |
| Cross Site Request Forgery (CSRF) vulnerability in beescms v4 allows attackers to delete the administrator account via crafted request to /admin/admin_admin.php. | ||||
| CVE-2020-18131 | 1 Clanscripts Project | 1 Clanscripts | 2025-01-29 | 8.8 High |
| Cross Site Request Forgery (CSRF) vulnerability in Bluethrust Clan Scripts v4 allows attackers to escilate privledges to an arbitrary account via a crafted request to /members/console.php?cID=5. | ||||
| CVE-2020-36065 | 1 Flycms Project | 1 Flycms | 2025-01-29 | 8.8 High |
| Cross Site Request Forgery (CSRF) vulnerability in FlyCms 1.0 allows attackers to add arbitrary administrator accounts via system/admin/admin_save. | ||||
| CVE-2020-23363 | 1 Verydows | 1 Verydows | 2025-01-29 | 8.8 High |
| Cross Site Request Forgery (CSRF) vulnerability found in Verytops Verydows all versions that allows an attacker to execute arbitrary code via a crafted script. | ||||