Total
6075 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2528 | 1 Supsystic | 1 Contact Form | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2508 | 2 Apple, Papercut | 2 Macos, Mobility Print Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| The `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc. | |||||
| CVE-2023-2505 | 1 Birddog | 8 4k Quad, 4k Quad Firmware, A300 and 5 more | 2024-11-21 | N/A | 7.7 HIGH |
| The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files. | |||||
| CVE-2023-2497 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 8.8 HIGH |
| The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2474 | 1 Getrebuild | 1 Rebuild | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in Rebuild 3.2 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. VDB-227866 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-2447 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 6.1 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2444 | 1 Rockwellautomation | 1 Factorytalk Vantagepoint | 2024-11-21 | N/A | 7.1 HIGH |
| A cross site request forgery vulnerability exists in Rockwell Automation's FactoryTalk Vantagepoint. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk Vantagepoint server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product. Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk Vantagepoint website, enters credentials for the FactoryTalk Vantagepoint server, and clicks on the malicious link a cross site request forgery attack would be successful as well. | |||||
| CVE-2023-2440 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 8.8 HIGH |
| The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for unauthenticated attackers to modify the role of verified users to elevate verified user privileges to that of any user such as 'administrator' via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2438 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 6.1 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'userpro_save_userdata' function. This makes it possible for unauthenticated attackers to update the user meta and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2416 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for unauthenticated to logout a vctia connected account which would cause a denial of service on the appointment scheduler, via a forged request granted they can trick a site user into performing an action such as clicking on a link. | |||||
| CVE-2023-2407 | 1 Vcita | 2 Event Registration Calendar By Vcita, Online Payments - Get Paid With Paypal\, Square \& Stripe | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2405 | 1 Vcita | 1 Crm And Lead Management By Vcita | 2024-11-21 | N/A | 6.1 MEDIUM |
| The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2307 | 1 Builder | 1 Qwik | 2024-11-21 | N/A | 4.7 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. | |||||
| CVE-2023-2303 | 1 Vcita | 1 Contact Form And Calls To Action By Vcita | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.4. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2301 | 1 Vcita | 1 Contact Form Builder By Vcita | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Contact Form Builder by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.1. This is due to missing nonce validation on the ls_parse_vcita_callback function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2286 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2228 | 1 Modoboa | 1 Modoboa | 2024-11-21 | N/A | 6.8 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0. | |||||
| CVE-2023-2195 | 1 Jenkins | 1 Code Dx | 2024-11-21 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2023-29815 | 1 Chshcms | 1 Mccms | 2024-11-21 | N/A | 8.8 HIGH |
| mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF). | |||||
| CVE-2023-29238 | 1 Whydonate | 1 Wp Whydonate | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Whydonate Whydonate – FREE Donate button – Crowdfunding – Fundraising plugin <= 3.12.15 versions. | |||||