Search Results (10301 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-58469 1 Qnap 1 Qulog Center 2025-11-14 8.8 High
A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.927 ( 2025/09/17 ) and later
CVE-2025-30510 1 Growatt 1 Cloud Portal 2025-11-14 9.8 Critical
An attacker can upload an arbitrary file instead of a plant image.
CVE-2024-53829 1 Ericsson 1 Codechecker 2025-11-14 8.2 High
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions, including but not limited to adding, removing or editing products. The attacker needs to know the ID of the available products to modify or delete them. The attacker cannot directly exfiltrate data (view) from CodeChecker, due to being limited to form-based CSRF. This issue affects CodeChecker: through 6.24.4.
CVE-2023-7297 1 Reneade 1 Twitterposts 2025-11-13 3.5 Low
The TwitterPosts WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2025-5732 1 Carmelo 1 Traffic Offense Reporting System 2025-11-13 4.3 Medium
A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-12444 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2025-11-13 4.2 Medium
Incorrect security UI in Fullscreen UI in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
CVE-2024-7697 2 Tecno, Transsion 2 Com.transsion.carlcare, Carlcare 2025-11-13 7.5 High
Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks.
CVE-2024-35475 1 Openkm 1 Openkm 2025-11-12 6.4 Medium
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in /admin/DatabaseQuery, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands.
CVE-2025-62258 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-11-10 6.5 Medium
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.
CVE-2025-55155 1 Mantisbt 1 Mantisbt 2025-11-10 5.4 Medium
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2.
CVE-2020-10181 1 Sumavision 2 Enhanced Multimedia Router, Enhanced Multimedia Router Firmware 2025-11-07 9.8 Critical
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.
CVE-2025-12479 2 Azure-access, Azure Access Technology 6 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 3 more 2025-11-07 8.8 High
Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
CVE-2025-12221 3 Azure-access, Azure Access Technology, Busybox 7 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 4 more 2025-11-07 8.8 High
Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVE-2023-4959 1 Redhat 1 Quay 2025-11-07 6.5 Medium
A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).
CVE-2025-7078 1 07fly 3 07fly-cms, 07flycms, Customer Relationship Management 2025-11-06 4.3 Medium
A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-64149 1 Jenkins 2 Jenkins, Publish To Bitbucket 2025-11-04 5.4 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2025-64141 1 Jenkins 2 Jenkins, Nexus Task Runner 2025-11-04 4.3 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2025-64138 1 Jenkins 2 Jenkins, Start Windocks Container 2025-11-04 4.3 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL.
CVE-2025-64136 1 Jenkins 2 Jenkins, Themis 2025-11-04 4.3 Medium
A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server.
CVE-2025-47410 1 Apache 1 Geode 2025-11-04 8.8 High
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This issue affects Apache Geode: versions 1.10 through 1.15.1 Users are recommended to upgrade to version 1.15.2, which fixes the issue.