CVE-2022-2987

HIGH Year: 2022
CVSS v3 Score
7.5
High
Weakness Type
CWE-352
View all →

Vulnerability Description

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

Related Vulnerabilities

CVE-2015-7936

HIGH
CVSS:7.5(High)

Cross-site request forgery (CSRF) vulnerability in Motorola Solutions MOSCAD IP Gateway allows remote attackers to hijack the authentication of administrators for requests that modify a password.

CWE-3522015

CVE-2016-1139

HIGH
CVSS:7.5(High)

Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CWE-3522016

CVE-2016-8718

HIGH
CVSS:7.5(High)

An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a c...

CWE-3522016

CVE-2017-1000092

HIGH
CVSS:7.5(High)

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a de...

CWE-3522017

CVE-2017-12415

HIGH
CVSS:7.5(High)

OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.1...

CWE-3522017

CVE-2017-12439

HIGH
CVSS:7.5(High)

SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML co...

CWE-3522017