Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22678 | 1 Superior Faq Project | 1 Superior Faq | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Rafael Dery Superior FAQ plugin <= 1.0.2 versions. | |||||
| CVE-2023-22472 | 1 Nextcloud | 1 Desktop | 2023-11-07 | N/A | 8.8 HIGH |
| Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. | |||||
| CVE-2023-20130 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2023-11-07 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-20113 | 1 Cisco | 1 Sd-wan | 2023-11-07 | N/A | 8.1 HIGH |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts. | |||||
| CVE-2023-20011 | 1 Cisco | 2 Application Policy Infrastructure Controller, Cloud Network Controller | 2023-11-07 | N/A | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts. | |||||
| CVE-2023-1923 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_remove_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers to change cdn settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-1472 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2023-11-07 | N/A | 6.3 MEDIUM |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Actions include resetting the API key, accessing or deleting log files, and deleting cache among others. | |||||
| CVE-2023-1414 | 1 Coderex | 1 Wp Vr | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours | |||||
| CVE-2023-1089 | 1 Hasthemes | 1 Coupon Zen | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Coupon Zen WordPress plugin before 1.0.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack | |||||
| CVE-2023-1029 | 1 Joomunited | 1 Wp Meta Seo | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the regenerateSitemaps function. This makes it possible for unauthenticated attackers to regenerate Sitemaps via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-0870 | 1 Opennms | 2 Horizon, Meridian | 2023-11-07 | N/A | 6.7 MEDIUM |
| A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0763 | 1 Infigosoftware | 1 Clock In Portal- Staff \& Attendance Management | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack | |||||
| CVE-2023-0498 | 1 Hasthemes | 1 Wp Education | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WP Education WordPress plugin before 1.2.7 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack | |||||
| CVE-2023-0336 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2023-11-07 | N/A | 6.5 MEDIUM |
| The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. | |||||
| CVE-2023-0335 | 1 Wpvar | 1 Wp Shamsi | 2023-11-07 | N/A | 6.5 MEDIUM |
| The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. | |||||
| CVE-2023-0088 | 1 Swifty Page Manager Project | 1 Swifty Page Manager | 2023-11-07 | N/A | 8.8 HIGH |
| The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-4872 | 1 Chained Products Project | 1 Chained Products | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no' | |||||
| CVE-2022-4621 | 1 Panasonic | 10 Vcc-hd2100p, Vcc-hd2100p Firmware, Vcc-hd3100p and 7 more | 2023-11-07 | N/A | 8.8 HIGH |
| Panasonic Sanyo CCTV Network Cameras versions 1.02-05 and 2.03-0x are vulnerable to CSRFs that can be exploited to allow an attacker to perform changes with administrator level privileges. | |||||
| CVE-2022-4548 | 1 Imageseo | 1 Optimize Images Alt Text \(alt Tag\) \& Names For Seo Using Ai | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Optimize images ALT Text & names for SEO using AI WordPress plugin before 2.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. | |||||
| CVE-2022-4397 | 1 Zend-blog-2 Project | 1 Zend-blog-2 | 2023-11-07 | N/A | 6.5 MEDIUM |
| A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 36b2d4abe20a6245e4f8df7a4b14e130b24d429d. It is recommended to apply a patch to fix this issue. VDB-215250 is the identifier assigned to this vulnerability. | |||||