Vulnerabilities (CVE)

Filtered by CWE-352
Total 6077 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-20113 1 Cisco 1 Sd-wan 2024-11-21 N/A 6.5 MEDIUM
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts.
CVE-2023-20011 1 Cisco 2 Application Policy Infrastructure Controller, Cloud Network Controller 2024-11-21 N/A 8.8 HIGH
A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts.
CVE-2023-1965 1 Gitlab 1 Gitlab 2024-11-21 N/A 6.8 MEDIUM
An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default.
CVE-2023-1937 1 My-blog Project 1 My-blog 2024-11-21 5.0 MEDIUM 4.3 MEDIUM
A vulnerability, which was classified as problematic, was found in zhenfeng13 My-Blog. Affected is an unknown function of the file /admin/configurations/userInfo. The manipulation of the argument yourAvatar/yourName/yourEmail leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The identifier of this vulnerability is VDB-225264.
CVE-2023-1923 1 Wpfastestcache 1 Wp Fastest Cache 2024-11-21 N/A 4.3 MEDIUM
The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_remove_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers to change cdn settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-1722 1 Yoga Class Registration System Project 1 Yoga Class Registration System 2024-11-21 N/A 9.1 CRITICAL
Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.
CVE-2023-1472 1 Rapidload 1 Rapidload Power-up For Autoptimize 2024-11-21 N/A 6.3 MEDIUM
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Actions include resetting the API key, accessing or deleting log files, and deleting cache among others.
CVE-2023-1414 1 Rextheme 1 Wp Vr 2024-11-21 N/A 4.3 MEDIUM
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours
CVE-2023-1205 1 Netgear 2 Rax30, Rax30 Firmware 2024-11-21 N/A 8.8 HIGH
NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 is vulnerable to cross-site request forgery attacks on all endpoints due to improperly implemented CSRF protections.
CVE-2023-1089 1 Hasthemes 1 Coupon Zen 2024-11-21 N/A 4.3 MEDIUM
The Coupon Zen WordPress plugin before 1.0.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack
CVE-2023-1033 1 Froxlor 1 Froxlor 2024-11-21 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.
CVE-2023-1029 1 Joomunited 1 Wp Meta Seo 2024-11-21 N/A 4.3 MEDIUM
The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the regenerateSitemaps function. This makes it possible for unauthenticated attackers to regenerate Sitemaps via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-0999 1 Sales Tracker Management System Project 1 Sales Tracker Management System 2024-11-21 5.0 MEDIUM 4.3 MEDIUM
A vulnerability classified as problematic was found in SourceCodester Sales Tracker Management System 1.0. This vulnerability affects unknown code of the file admin/?page=user/list. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-221734 is the identifier assigned to this vulnerability.
CVE-2023-0988 1 Online Pizza Ordering System Project 1 Online Pizza Ordering System 2024-11-21 5.0 MEDIUM 4.3 MEDIUM
A vulnerability, which was classified as problematic, has been found in SourceCodester Online Pizza Ordering System 1.0. This issue affects some unknown processing of the file admin/ajax.php?action=save_user. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221681 was assigned to this vulnerability.
CVE-2023-0870 1 Opennms 2 Horizon, Meridian 2024-11-21 N/A 8.1 HIGH
A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
CVE-2023-0824 1 Wpuserplus 1 Userplus 2024-11-21 N/A 6.5 MEDIUM
The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.
CVE-2023-0763 1 Infigosoftware 1 Clock In Portal- Staff \& Attendance Management 2024-11-21 N/A 4.3 MEDIUM
The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack
CVE-2023-0735 1 Wallabag 1 Wallabag 2024-11-21 N/A 6.5 MEDIUM
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.
CVE-2023-0674 1 Xuxueli 1 Xxl-job 2024-11-21 5.0 MEDIUM 4.3 MEDIUM
A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220196.
CVE-2023-0642 1 Squidex.io 1 Squidex 2024-11-21 N/A 6.5 MEDIUM
Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0.