The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-29468 | A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | -- | Aug 24, 2022 | n/a |
| CVE-2018-7720 | A cross-site request forgery (CSRF) vulnerability exists in Western Bridge Cobub Razor 0.7.2 via /index.php?/user/createNewUser/, resulting in account creation. | MEDIUM | Mar 7, 2018 | n/a |
| CVE-2021-32159 | A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature. | MEDIUM | Apr 15, 2022 | n/a |
| CVE-2021-32156 | A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature. | MEDIUM | Apr 15, 2022 | n/a |
| CVE-2021-32162 | A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature. | MEDIUM | Apr 15, 2022 | n/a |
| CVE-2021-40965 | A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | HIGH | Sep 15, 2021 | n/a |
| CVE-2024-3135 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim\'s local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application\'s acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment. | -- | Apr 2, 2024 | n/a |
| CVE-2019-7865 | A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration. | MEDIUM | Aug 6, 2019 | n/a |
| CVE-2018-7828 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera when an authenticated user clicks a specially crafted malicious link while logged into the camera. | MEDIUM | May 28, 2019 | n/a |
| CVE-2019-10253 | A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request. | MEDIUM | Sep 10, 2019 | n/a |
| CVE-2021-41764 | A cross-site request forgery (CSRF) vulnerability exists in Streama up to and including v1.10.3. The application does not have CSRF checks in place when performing actions such as uploading local files. As a result, attackers could make a logged-in administrator upload arbitrary local files via a CSRF attack and send them to the attacker. | MEDIUM | Oct 3, 2021 | n/a |
| CVE-2020-28403 | A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application. | MEDIUM | Jan 29, 2021 | n/a |
| CVE-2020-25408 | A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, and article data. | MEDIUM | May 27, 2021 | n/a |
| CVE-2011-3582 | A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions. | MEDIUM | Jan 27, 2020 | n/a |
| CVE-2022-28921 | A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server. | MEDIUM | May 18, 2022 | n/a |
| CVE-2023-3589 | A Cross-Site Request Forgery (CSRF) vulnerability affecting Teamwork Cloud from No Magic Release 2021x through No Magic Release 2022x could allow with some very specific conditions an attacker to send a specifically crafted query to the server. | -- | Oct 10, 2023 | n/a |
| CVE-2023-31452 | A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | -- | Aug 9, 2023 | n/a |
| CVE-2017-12703 | A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. | MEDIUM | Aug 26, 2017 | n/a |
| CVE-2020-35943 | A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload. (It is possible to bypass CSRF protection by simply not including a nonce parameter.) | MEDIUM | Feb 12, 2021 | n/a |
| CVE-2020-35942 | A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.) | MEDIUM | Feb 12, 2021 | n/a |
| CVE-2022-29002 | A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add. | MEDIUM | May 24, 2022 | n/a |
| CVE-2020-21658 | A Cross-Site Request Forgery (CSRF) in WDJA CMS v1.5.2 allows attackers to arbitrarily add administrator accounts via a crafted URL. | MEDIUM | Oct 6, 2021 | n/a |
| CVE-2023-38999 | A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | -- | Aug 9, 2023 | n/a |
| CVE-2022-24235 | A Cross-Site Request Forgery (CSRF) in the management portal of Snapt Aria v12.8 allows attackers to escalate privileges and execute arbitrary code via unspecified vectors. | MEDIUM | Mar 22, 2022 | n/a |
| CVE-2022-37719 | A Cross-Site Request Forgery (CSRF) in the management portal of JetNexus/EdgeNexus ADC 4.2.8 allows attackers to escalate privileges and execute arbitrary code via unspecified vectors. | -- | Jan 23, 2023 | n/a |
| CVE-2020-21386 | A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges. | MEDIUM | Oct 7, 2021 | n/a |
| CVE-2023-37131 | A Cross-Site Request Forgery (CSRF) in the component /public/admin/profile/update.html of YznCMS v1.1.0 allows attackers to arbitrarily change the Administrator password via a crafted POST request. | -- | Jul 11, 2023 | n/a |
| CVE-2022-44849 | A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account. | -- | Dec 7, 2022 | n/a |
| CVE-2023-37650 | A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands. | -- | Jul 20, 2023 | n/a |
| CVE-2020-20593 | A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account. | MEDIUM | Dec 23, 2021 | n/a |
| CVE-2021-46252 | A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2023-36345 | A Cross-Site Request Forgery (CSRF) in POS Codekop v2.0 allows attackers to escalate privileges. | -- | Jun 24, 2023 | n/a |
| CVE-2022-26589 | A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to delete arbitrary pages. | MEDIUM | Apr 13, 2022 | n/a |
| CVE-2022-27432 | A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. | MEDIUM | Apr 5, 2022 | n/a |
| CVE-2020-20595 | A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add. | MEDIUM | Dec 23, 2021 | n/a |
| CVE-2023-26845 | A Cross-Site Request Forgery (CSRF) in OpenCATS 0.9.7 allows attackers to force users into submitting web requests via unspecified vectors. | -- | Apr 11, 2023 | n/a |
| CVE-2023-27073 | A Cross-Site Request Forgery (CSRF) in Online Food Ordering System v1.0 allows attackers to change user details and credentials via a crafted POST request. | -- | Mar 17, 2023 | n/a |
| CVE-2022-28992 | A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request. | MEDIUM | May 20, 2022 | n/a |
| CVE-2022-35611 | A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards. | -- | Oct 14, 2022 | n/a |
| CVE-2020-19263 | A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily escalate user privileges to administrator via index.php?s=/user/ApiAdminUser/itemEdit. | MEDIUM | Sep 9, 2021 | n/a |
| CVE-2020-19264 | A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd. | MEDIUM | Sep 9, 2021 | n/a |
| CVE-2022-33121 | A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. | MEDIUM | Jun 25, 2022 | n/a |
| CVE-2020-20514 | A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users. | MEDIUM | Sep 26, 2021 | n/a |
| CVE-2020-21081 | A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL. | MEDIUM | Sep 14, 2021 | n/a |
| CVE-2020-20671 | A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account. | MEDIUM | Sep 14, 2021 | n/a |
| CVE-2020-19268 | A cross-site request forgery (CSRF) in index.php/Dswjcms/User/tfAdd of Dswjcms 1.6.4 allows authenticated attackers to arbitrarily add administrator users. | LOW | Sep 9, 2021 | n/a |
| CVE-2022-26588 | A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI. | MEDIUM | Apr 8, 2022 | n/a |
| CVE-2023-33534 | A Cross-Site Request Forgery (CSRF) in Guanzhou Tozed Kangwei Intelligent Technology ZLTS10G software version S10G_3.11.6 allows attackers to takeover user accounts via sending a crafted POST request to /goform/goform_set_cmd_process. | -- | Jul 31, 2023 | n/a |
| CVE-2020-20693 | A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts. | MEDIUM | Oct 1, 2021 | n/a |
| CVE-2023-52060 | A Cross-Site Request Forgery (CSRF) in Gestsup v3.2.46 allows attackers to arbitrarily edit user profile information via a crafted request. | -- | Feb 13, 2024 | n/a |
