Cross-Site Request Forgery (CSRF) vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint allows Cross-Site Scripting (XSS).This issue affects BizPrint: from n/a through 4.5.5.
Max CVSS
7.1
EPSS Score
0.04%
Published
2024-03-27
Updated
2024-03-27
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
Max CVSS
8.2
EPSS Score
0.06%
Published
2024-03-20
Updated
2024-03-21
JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0.
Max CVSS
8.1
EPSS Score
0.04%
Published
2024-03-27
Updated
2024-03-28
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Max CVSS
8.1
EPSS Score
0.04%
Published
2024-03-13
Updated
2024-03-13
Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.
Max CVSS
7.1
EPSS Score
0.04%
Published
2024-03-21
Updated
2024-03-21
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
Max CVSS
8.1
EPSS Score
0.04%
Published
2024-03-19
Updated
2024-03-19
IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 284564.
Max CVSS
6.5
EPSS Score
0.04%
Published
2024-03-14
Updated
2024-03-19
Cross-Site Request Forgery (CSRF) vulnerability in Bee BeePress allows Stored XSS.This issue affects BeePress: from n/a through 6.9.8.
Max CVSS
7.1
EPSS Score
0.04%
Published
2024-03-16
Updated
2024-03-17
Cross-Site Request Forgery (CSRF) vulnerability in Sandi Verdev Watermark RELOADED allows Stored XSS.This issue affects Watermark RELOADED: from n/a through 1.3.5.
Max CVSS
7.1
EPSS Score
0.04%
Published
2024-03-16
Updated
2024-03-17
Cross-Site Request Forgery (CSRF) vulnerability in Andrei Ivasiuc Fontific | Google Fonts allows Stored XSS.This issue affects Fontific | Google Fonts: from n/a through 0.1.6.
Max CVSS
7.1
EPSS Score
0.04%
Published
2024-03-16
Updated
2024-03-17
GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. The applications cookies are set securely, but it is possible to retrieve a victims CSRF token and issue a request to change another user's email address to perform a full account takeover. Due to the script element not impacting the CORS policy, requests will succeed. This vulnerability is fixed in 4.2.3.
Max CVSS
6.1
EPSS Score
0.04%
Published
2024-03-27
Updated
2024-03-27
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_menu.php.
Max CVSS
8.8
EPSS Score
0.06%
Published
2024-02-11
Updated
2024-02-12
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_menu.php.
Max CVSS
8.8
EPSS Score
0.06%
Published
2024-02-11
Updated
2024-02-12
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/add_translation.php.
Max CVSS
8.8
EPSS Score
0.06%
Published
2024-02-11
Updated
2024-02-12
Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8.
Max CVSS
7.1
EPSS Score
0.04%
Published
2024-02-21
Updated
2024-02-22
Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.
Max CVSS
8.3
EPSS Score
0.06%
Published
2024-02-09
Updated
2024-02-16
icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Max CVSS
8.8
EPSS Score
0.06%
Published
2024-02-09
Updated
2024-02-16
A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to compromise confidential workspaces and files, leak sensitive information, and target instances of the ClearML platform within closed off networks.
Max CVSS
9.6
EPSS Score
0.08%
Published
2024-02-06
Updated
2024-02-15
Cross Site Request Forgery (CSRF) vulnerability in flusity-CMS v.2.33, allows remote attackers to execute arbitrary code via the add_menu.php component.
Max CVSS
8.8
EPSS Score
0.14%
Published
2024-02-02
Updated
2024-02-09
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the update_post.php component.
Max CVSS
8.8
EPSS Score
0.14%
Published
2024-02-02
Updated
2024-02-06
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php.
Max CVSS
8.8
EPSS Score
0.14%
Published
2024-02-05
Updated
2024-02-07
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_customblock.php.
Max CVSS
8.8
EPSS Score
0.14%
Published
2024-02-05
Updated
2024-02-07
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
Max CVSS
7.5
EPSS Score
0.06%
Published
2024-02-02
Updated
2024-02-10
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.
Max CVSS
8.8
EPSS Score
0.09%
Published
2024-01-30
Updated
2024-02-06
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
Max CVSS
8.8
EPSS Score
0.15%
Published
2024-02-01
Updated
2024-03-21
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!