Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-22334 | 1 Beescms | 1 Beescms | 2023-05-12 | N/A | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in beescms v4 allows attackers to delete the administrator account via crafted request to /admin/admin_admin.php. | |||||
| CVE-2020-18131 | 1 Clanscripts Project | 1 Clanscripts | 2023-05-11 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in Bluethrust Clan Scripts v4 allows attackers to escilate privledges to an arbitrary account via a crafted request to /members/console.php?cID=5. | |||||
| CVE-2023-2552 | 1 Bumsys Project | 1 Bumsys | 2023-05-10 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in GitHub repository unilogies/bumsys prior to 2.1.1. | |||||
| CVE-2023-1965 | 1 Gitlab | 1 Gitlab | 2023-05-09 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default. | |||||
| CVE-2023-22691 | 1 Tipsandtricks-hq | 1 Category Specific Rss Feed Subscription | 2023-05-09 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.1 versions. | |||||
| CVE-2023-23790 | 1 Podsfoundation | 1 Pods | 2023-05-09 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Pods Framework Team Pods – Custom Content Types and Fields plugin <= 2.9.10.2 versions. | |||||
| CVE-2023-29815 | 1 Chshcms | 1 Mccms | 2023-05-08 | N/A | 8.8 HIGH |
| mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF). | |||||
| CVE-2023-25967 | 1 Peepso | 1 Peepso | 2023-05-08 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo plugin <= 6.0.2.0 versions. | |||||
| CVE-2022-40724 | 1 Pingidentity | 1 Pingfederate | 2023-05-04 | N/A | 8.8 HIGH |
| The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. | |||||
| CVE-2023-2228 | 1 Modoboa | 1 Modoboa | 2023-05-03 | N/A | 6.8 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0. | |||||
| CVE-2023-29020 | 1 Fastify | 1 Passport | 2023-05-03 | N/A | 6.5 MEDIUM |
| @fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF (Cross-Site Request Forger) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport` in affected versions, can be bypassed by network and same-site attackers. `fastify/csrf-protection` implements the synchronizer token pattern (using plugins `@fastify/session` and `@fastify/secure-session`) by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and same-site attackers can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's browser via cookie tossing, and then perform a CSRF attack after the victim authenticates. As a solution, newer versions of `@fastify/passport` include the configuration options: `clearSessionOnLogin (default: true)` and `clearSessionIgnoreFields (default: ['passport', 'session'])` to clear all the session attributes by default, preserving those explicitly defined in `clearSessionIgnoreFields`. | |||||
| CVE-2023-31061 | 1 Repetier-server | 1 Repetier-server | 2023-05-02 | N/A | 8.8 HIGH |
| Repetier Server through 1.4.10 does not have CSRF protection. | |||||
| CVE-2023-22686 | 1 Trinitronic | 1 Nice Paypal Button Lite | 2023-05-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in TriniTronic Nice PayPal Button Lite plugin <= 1.3.5 versions. | |||||
| CVE-2023-27495 | 1 Fastify | 1 Csrf-protection | 2023-05-02 | N/A | 6.5 MEDIUM |
| @fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the user. This parameter has been introduced to prevent cookie-tossing attacks as a fix for CVE-2021-29624. Whenever userInfo parameter is missing, or its value can be predicted for the target user account, network and same-site attackers can 1. fixate a _csrf cookie in the victim's browser, and 2. forge CSRF tokens that are valid for the victim's session. This allows attackers to bypass the CSRF protection mechanism. As a fix, @fastify/csrf-protection starting from version 6.3.0 (and v4.1.0) includes a server-defined secret hmacKey that cryptographically binds the CSRF token to the value of the _csrf cookie and the userInfo parameter, making tokens non-spoofable by attackers. This protection is effective as long as the userInfo parameter is unique for each user. This is patched in versions 6.3.0 and v4.1.0. Users are advised to upgrade. Users unable to upgrade may use a random, non-predictable userInfo parameter for each user as a mitigation. | |||||
| CVE-2023-30616 | 1 Epiph | 1 Form Block | 2023-05-01 | N/A | 6.5 MEDIUM |
| Form block is a wordpress plugin designed to make form creation easier. Versions prior to 1.0.2 are subject to a Cross-Site Request Forgery due to a missing nonce check. There is potential for a Cross Site Request Forgery for all form blocks, since it allows to send requests to the forms from any website without a user noticing. Users are advised to upgrade to version 1.0.2. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-29213 | 1 Xwiki | 1 Xwiki | 2023-05-01 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of `org.xwiki.platform:xwiki-platform-logging-ui` it is possible to trick a user with programming rights into visiting a constructed url where e.g., by embedding an image with this URL in a document that is viewed by a user with programming rights which will evaluate an expression in the constructed url and execute it. This issue has been addressed in versions 13.10.11, 14.4.7, and 14.10. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-45074 | 1 Areteit | 1 Activity Reactions For Buddypress | 2023-04-28 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Paramveer Singh for Arete IT Private Limited Activity Reactions For Buddypress plugin <= 1.0.22 versions. | |||||
| CVE-2022-45080 | 1 Krishaweb | 1 Add Multiple Marker | 2023-04-28 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in KrishaWeb Add Multiple Marker plugin <= 1.2 versions. | |||||
| CVE-2023-23879 | 1 Php Execution Project | 1 Php Execution | 2023-04-28 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Nicolas Zeh PHP Execution plugin <= 1.0.0 versions. | |||||
| CVE-2023-26839 | 1 Churchcrm | 1 Churchcrm | 2023-04-28 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site. | |||||