Total
9087 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47082 | 1 Strawberryrocks | 1 Strawberry | 2024-10-01 | 4.6 Medium |
| Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch. | ||||
| CVE-2024-7862 | 2 Blogintroduction Wordpress Plugin, Kimhuebel | 2 Blogintroduction Wordpress Plugin, Blogintroduction-wordpress-plugin | 2024-09-30 | 4.3 Medium |
| The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-3083 | 1 Proges | 2 Sensor Net Connect Firmware V2, Sensor Net Connect V2 | 2024-09-30 | 8.3 High |
| A “CWE-352: Cross-Site Request Forgery (CSRF)” can be exploited by remote attackers to perform state-changing operations with administrative privileges by luring authenticated victims into visiting a malicious web page. | ||||
| CVE-2024-8044 | 2 Rubayathasan, Wordpress Plugin | 2 Infolinks Ad Wrap, Infolinks Ad Wrap | 2024-09-30 | 5.7 Medium |
| The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-7863 | 1 Pixeljar | 1 Favicon Generator | 2024-09-27 | 8.1 High |
| The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server | ||||
| CVE-2024-7864 | 1 Pixeljar | 1 Favicon Generator | 2024-09-27 | 6.5 Medium |
| The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server | ||||
| CVE-2024-7817 | 2 Michalaugustyniak, Misiek Photo Album | 2 Misiek Photo Album, Misiek Photo Album | 2024-09-27 | 6.5 Medium |
| The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack | ||||
| CVE-2024-8043 | 2 Seanschulte, Wordpress Plugin | 2 Vikinghammer Tweet, Vikinghammer Tweet | 2024-09-27 | 5.7 Medium |
| The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-8051 | 2 Moc, Wordpress Plugin | 2 Special Feed Items, Special Feed Items | 2024-09-27 | 5.7 Medium |
| The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-8091 | 2 Jakesnyder, Jupitercow | 2 Enhanced Search Box, Enhanced Search Box | 2024-09-27 | 4.8 Medium |
| The Enhanced Search Box WordPress plugin through 0.6.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-8092 | 2 Alaingg, Alaingonzalez | 2 Accordion Image Menu, Accordion Image Menu | 2024-09-27 | 5.4 Medium |
| The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-8093 | 2 Lucas Garcia, Lucasgarcia | 2 Posts Reminder, Posts Reminder | 2024-09-27 | 4.8 Medium |
| The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-7820 | 2 Elliot, Ilc Thickbox | 2 Ilc Thickbox, Ilc Thickbox | 2024-09-27 | 4.3 Medium |
| The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-8052 | 2 Joen, Moc | 2 Review Ratings, Review Ratings | 2024-09-27 | 4.8 Medium |
| The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-7816 | 2 Adeelraza, Gixaw Chat | 2 Gixaw Chat, Gixaw Chat | 2024-09-26 | 6.1 Medium |
| The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-3163 | 2 Easy Property Listings, Realestateconnected | 2 Easy Property Listings, Easy Property Listings | 2024-09-26 | 4.3 Medium |
| The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2024-46086 | 1 Frogcms Project | 1 Frogcms | 2024-09-25 | 8.8 High |
| FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/delete/123 | ||||
| CVE-2024-46394 | 1 Frogcms Project | 1 Frogcms | 2024-09-25 | 8 High |
| FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add | ||||
| CVE-2024-6862 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2024-09-19 | 8.1 High |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks. | ||||
| CVE-2024-39641 | 1 Thimpress | 1 Learnpress | 2024-09-18 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.6.8.2. | ||||