映射到 CWE-352 的搜索结果 (1263)
[原文]Cross Site Request Forgery (CSRF) exists in the Blacklist and Whitelist IP Wizard in init.php in the Loginizer plugin before 1.3.6 for WordPress because the HTTP Referer header is not checked.
[原文]A vulnerability in the Web UI Application of the Cisco Prime Collaboration Provisioning Tool through 12.2 could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of defense against cross-site request forgery (CSRF) attacks. An attacker could exploit this vulnerability by forcing the user's browser to perform any action authorized for that user. Cisco Bug IDs: CSCvc90280.
[原文]Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices with Firmware Version before 126.96.36.199606, as demonstrated by a request to apply.cgi to disable SIP.
[原文]There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete account takeover, via the passwd1 and passwd2 fields in an admin/modules/system/app_user.php changecurrent=true operation.
[原文]An issue was discovered in SMA Solar Technology products. If a user simultaneously has Sunny Explorer running and visits a malicious host, cross-site request forgery can be used to change settings in the inverters (for example, issuing a POST request to change the user password). All Sunny Explorer settings available to the authenticated user are also available to the attacker. (In some cases, this also includes changing settings that the user has no access to.) This may result in complete compromise of the device.
[原文]SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and unvalidated redirection issues.