Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-19803 | 1 Doyocms Project | 1 Doyocms | 2023-04-20 | N/A | 8.8 HIGH |
| Cross Site Request Forgery vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the background system settings. | |||||
| CVE-2023-26845 | 1 Opencats | 1 Opencats | 2023-04-20 | N/A | 4.3 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in OpenCATS 0.9.7 allows attackers to force users into submitting web requests via unspecified vectors. | |||||
| CVE-2023-27490 | 1 Nextauth.js | 1 Next-auth | 2023-04-20 | N/A | 8.8 HIGH |
| NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details. | |||||
| CVE-2021-40335 | 1 Hitachienergy | 2 Modular Switchgear Monitoring, Modular Switchgear Monitoring Firmware | 2023-04-19 | N/A | 8.8 HIGH |
| A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions. | |||||
| CVE-2023-25411 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2023-04-14 | N/A | 4.3 MEDIUM |
| Aten PE8108 2.4.232 is vulnerable to Cross Site Request Forgery (CSRF). | |||||
| CVE-2021-27927 | 1 Zabbix | 1 Zabbix | 2023-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. | |||||
| CVE-2022-30694 | 1 Siemens | 223 6ag1151-8ab01-7ab0, 6ag1151-8ab01-7ab0 Firmware, 6ag1151-8fb01-2ab0 and 220 more | 2023-04-11 | N/A | 6.5 MEDIUM |
| The login endpoint /FormLogin in affected web services does not apply proper origin checking. This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack. | |||||
| CVE-2020-19278 | 1 Mm-wiki Project | 1 Mm-wiki | 2023-04-10 | N/A | 8.8 HIGH |
| Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter. | |||||
| CVE-2023-0480 | 1 Vitalpbx | 1 Vitalpbx | 2023-04-10 | N/A | 8.8 HIGH |
| VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF. | |||||
| CVE-2023-28848 | 1 Nextcloud | 1 User Oidc | 2023-04-10 | N/A | 5.4 MEDIUM |
| user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available. | |||||
| CVE-2023-28676 | 1 Jenkins | 1 Convert To Pipeline | 2023-04-08 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE). | |||||
| CVE-2023-28674 | 1 Jenkins | 1 Octoperf Load Testing | 2023-04-08 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials. | |||||
| CVE-2023-28671 | 1 Jenkins | 1 Octoperf Load Testing | 2023-04-07 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-2846 | 1 Dwbooster | 1 Calendar Event Multi View | 2023-04-05 | N/A | 4.3 MEDIUM |
| The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. | |||||
| CVE-2022-41413 | 1 Perfsonar | 1 Perfsonar | 2023-04-03 | N/A | 4.3 MEDIUM |
| perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function. | |||||
| CVE-2019-1958 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2023-03-29 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2022-38329 | 1 Shopxian | 1 Shopxian Cms | 2023-03-29 | N/A | 4.3 MEDIUM |
| An issue was discovered in Shopxian CMS 3.0.0. There is a CSRF vulnerability that can delete the specified column via index.php/contents-admin_cat-finderdel-model-ContentsCat.html?id=17. | |||||
| CVE-2018-1858 | 1 Ibm | 1 Api Connect | 2023-03-24 | 6.8 MEDIUM | 8.8 HIGH |
| IBM API Connect 5.0.0.0 through 5.0.8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 151256. | |||||
| CVE-2023-27234 | 1 Jizhicms | 1 Jizhicms | 2023-03-20 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2.4.5 allows attackers to arbitrarily make configuration changes within the application. | |||||
| CVE-2023-1205 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2023-03-15 | N/A | 8.8 HIGH |
| NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 is vulnerable to cross-site request forgery attacks on all endpoints due to improperly implemented CSRF protections. | |||||