A CSRF vulnerability exists in GeoVision GV-ASManager web application version 6.1.1.0 or earlier, enabling attackers to create Admin accounts via a crafted GET request. This exploit is often combined with CVE-2024-56903 for a successful CSRF attack.
The PZ Frontend Manager WordPress Plugin version 1.0.5 and below is vulnerable to Cross Site Request Forgery (CSRF) attacks due to lack of CSRF checks in certain areas. This could allow malicious actors to manipulate logged in users into executing unintended actions.
The ABB Cylon Aspect 3.08.02 allows attackers to perform unauthorized actions with administrative privileges by sending malicious HTTP requests to the userManagement.php script. This vulnerability exists due to the lack of proper validation checks on incoming requests, enabling attackers to exploit the system through a logged-in user visiting a malicious website.
A CSRF vulnerability is found in the ABB Cylon FLXeon series. Exploitation is restricted due to the server's CORS configuration, which lacks Access-Control-Allow-Credentials. The exploit conditions include hosting the malicious page on the same domain, Man-in-the-Middle attacks, LAN access, subdomain hosting, and misconfigured CORS policies.
GestioIP v3.5.7 is vulnerable to CSRF attacks due to multiple endpoints. An attacker can trick an authenticated admin to visit a malicious URL, leading to unauthorized actions such as data modification, deletion, or exfiltration.
Blood Bank & Donor Management System version 2.4 is vulnerable to CSRF attacks due to the lack of CSRF tokens for essential functions like logout. By creating a malicious iframe with the logout URL, an attacker can deceive a user into clicking it, resulting in the user being logged out without their knowledge.
A CSRF vulnerability in ERPNext versions 14.82.1 and 14.74.3 allows attackers to manipulate the accounts of logged-in administrators without their consent. This can lead to unauthorized actions such as user deletion, role assignment, and account takeover through password changes.
The exploit allows an attacker to perform Cross Site Request Forgery (CSRF) on flatCore version 1.5. By tricking an authenticated user into visiting a malicious website, the attacker can upload files to the server due to lack of proper CSRF protection. This vulnerability has been assigned CVE-2019-13961.
A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs, the script executes, resulting in privilege escalation via unauthorized admin account creation. The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.
Casdoor version 1.901.0 and below has a Cross-Site Request Forgery (CSRF) vulnerability in the /api/set-password endpoint. This vulnerability allows attackers to change a victim user's password through a maliciously crafted URL.
Services By CQR