Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18220 | 1 Sitemagic | 1 Sitemagic | 2019-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| Sitemagic CMS 4.4.1 is affected by a Cross-Site-Request-Forgery (CSRF) issue as it doesn't implement any method to validate incoming requests, allowing the execution of critical functionalities via spoofed requests. This behavior could be abused by a remote unauthenticated attacker to trick Sitemagic users into performing unwarranted actions. | |||||
| CVE-2019-10471 | 1 Jenkins | 1 Libvirt Slaves | 2019-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10464 | 1 Jenkins | 1 Deploy Weblogic | 2019-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system. | |||||
| CVE-2015-9498 | 1 Wpserveur | 1 Wps Hide Login | 2019-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value. | |||||
| CVE-2015-9497 | 1 Ad Inserter Project | 1 Ad Inserter | 2019-10-23 | 6.8 MEDIUM | 8.8 HIGH |
| The ad-inserter plugin before 1.5.3 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=ad-inserter.php. | |||||
| CVE-2019-10437 | 1 Jenkins | 1 Crx Content Package Deployer | 2019-10-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-17118 | 1 Wikidsystems | 1 2fa Enterprise Server | 2019-10-22 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows a remote attacker to trick an authenticated user into performing unintended actions such as (1) create or delete admin users; (2) create or delete groups; or (3) create, delete, enable, or disable normal users or devices. | |||||
| CVE-2019-17367 | 1 Openwrt | 1 Openwrt | 2019-10-22 | 6.8 MEDIUM | 8.8 HIGH |
| OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/. | |||||
| CVE-2019-17676 | 1 Metinfo | 1 Metinfo | 2019-10-21 | 6.8 MEDIUM | 8.8 HIGH |
| app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI. | |||||
| CVE-2017-14683 | 1 Geminabox Project | 1 Geminabox | 2019-10-17 | 6.8 MEDIUM | 8.8 HIGH |
| geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload. | |||||
| CVE-2018-20582 | 1 Gree | 1 Gree\+ | 2019-10-17 | 6.8 MEDIUM | 8.8 HIGH |
| The GREE+ (aka com.gree.greeplus) application 1.4.0.8 for Android suffers from Cross Site Request Forgery. | |||||
| CVE-2019-17593 | 1 Jizhicms | 1 Jizhicms | 2019-10-16 | 6.8 MEDIUM | 8.8 HIGH |
| JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator. | |||||
| CVE-2019-11077 | 1 Fastadmin | 1 Fastadmin | 2019-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new admin user via the admin/auth/admin/add?dialog=1 URI. | |||||
| CVE-2019-13529 | 1 Sma | 2 Sunny Webbox, Sunny Webbox Firmware | 2019-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation. | |||||
| CVE-2019-17386 | 1 Eleopard | 1 Animate It\! | 2019-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php. | |||||
| CVE-2016-10874 | 1 Wpseeds | 1 Wp Database Backup | 2019-10-12 | 6.8 MEDIUM | 8.8 HIGH |
| The wp-database-backup plugin before 4.3.3 for WordPress has CSRF. | |||||
| CVE-2019-17431 | 1 Fastadmin | 1 Fastadmin | 2019-10-11 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability. | |||||
| CVE-2015-9455 | 1 Incsub | 1 Buddypress-activity-plus | 2019-10-10 | 7.8 HIGH | 8.1 HIGH |
| The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action. | |||||
| CVE-2019-17217 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2019-10-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. There is no CSRF protection established on the web service. | |||||
| CVE-2019-9882 | 1 Hgiga | 8 Msr35 Isherlock-base, Msr35 Isherlock-sysinfo, Msr35 Isherlock-user and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&new=hacker@socialengineering.com&new_memo=&add=%E6%96%B0%E5%A2%9E without any authorizes. | |||||
| CVE-2019-9883 | 1 Hgiga | 8 Msr35 Isherlock-base, Msr35 Isherlock-sysinfo, Msr35 Isherlock-user and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to elevate privilege of specific account via useradmin/cf_new.cgi?chief=&wk_group=full&cf_name=test&cf_account=test&cf_email=&cf_acl=Management&apply_lang=&dn= without any authorizes. | |||||
| CVE-2019-5630 | 1 Rapid7 | 1 Nexpose | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request. | |||||
| CVE-2019-6166 | 1 Lenovo | 8 Ideacentre, Ideapad, Service Bridge and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow cross-site request forgery. | |||||
| CVE-2019-6561 | 1 Moxa | 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery has been identified in Moxa IKS and EDS, which may allow for the execution of unauthorized actions on the device. | |||||
| CVE-2019-5430 | 1 Ui | 1 Unifi Video | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page. | |||||
| CVE-2019-4212 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159132. | |||||
| CVE-2019-4142 | 1 Ibm | 1 Cloud Private | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158338. | |||||
| CVE-2019-4117 | 1 Ibm | 1 Cloud Private | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158116. | |||||
| CVE-2019-3718 | 1 Dell | 1 Supportassist | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems. | |||||
| CVE-2019-3410 | 1 Zte | 2 Wf820\+ Lte Outdoor Cpe, Wf820\+ Lte Outdoor Cpe Firmware | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by Cross-Site Request Forgery vulnerability,which stems from the fact that WEB applications do not adequately verify whether requests come from trusted users. An attacker can exploit this vulnerability to send unexpected requests to the server through the affected client. | |||||
| CVE-2019-3604 | 1 Mcafee | 1 Epolicy Orchestrator | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in McAfee ePO (legacy) Cloud allows unauthenticated users to perform unintended ePO actions using an authenticated user's session via unspecified vectors. | |||||
| CVE-2019-1764 | 1 Cisco | 8 Ip Conference Phone 8832, Ip Conference Phone 8832 Firmware, Ip Phone 8800 and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. This vulnerability affects Cisco IP Phone 8800 Series products running a SIP Software release prior to 11.0(5) for Wireless IP Phone 8821 and 8821-EX; and 12.5(1)SR1 for the IP Conference Phone 8832 and the rest of the IP Phone 8800 Series. Cisco IP Conference Phone 8831 is not affected. | |||||
| CVE-2019-1958 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2019-1881 | 1 Cisco | 1 Industrial Network Director | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. | |||||
| CVE-2019-1658 | 1 Cisco | 1 Unified Intelligence Center | 2019-10-09 | 4.3 MEDIUM | 7.4 HIGH |
| A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections in the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious, customized link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device via a web browser and with the privileges of the user. | |||||
| CVE-2019-1632 | 1 Cisco | 2 Integrated Management Controller, Unified Computing System | 2019-10-09 | 6.0 MEDIUM | 8.0 HIGH |
| A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on the affected device. | |||||
| CVE-2019-13516 | 1 Osisoft | 1 Pi Web Api | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect. | |||||
| CVE-2019-13071 | 1 Cyberpowersystems | 1 Powerpanel | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page. | |||||
| CVE-2019-12624 | 1 Cisco | 19 5760 Wireless Lan Controller, Catalyst 3650-12x48uq, Catalyst 3650-12x48ur and 16 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user. | |||||
| CVE-2019-11207 | 1 Tibco | 42 Loglogic Enterprise Virtual Appliance, Loglogic Log Management Intelligence, Loglogic Lx1025 and 39 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site scripting (XSS) attacks, as well as cross-site request forgery (CSRF) attacks. This issue affects: TIBCO Software Inc. TIBCO LogLogic Enterprise Virtual Appliance version 6.2.1 and prior versions. TIBCO Software Inc. TIBCO LogLogic Log Management Intelligence 6.2.1. TIBCO LogLogic LX825 Appliance 0.0.004, TIBCO LogLogic LX1025 Appliance 0.0.004, TIBCO LogLogic LX4025 Appliance 0.0.004, TIBCO LogLogic MX3025 Appliance 0.0.004, TIBCO LogLogic MX4025 Appliance 0.0.004, TIBCO LogLogic ST1025 Appliance 0.0.004, TIBCO LogLogic ST2025-SAN Appliance 0.0.004, and TIBCO LogLogic ST4025 Appliance 0.0.004 using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below. TIBCO LogLogic LX1035 Appliance 0.0.005, TIBCO LogLogic LX1025R1 Appliance 0.0.004, TIBCO LogLogic LX1025R2 Appliance 0.0.004, TIBCO LogLogic LX4025R1 Appliance 0.0.004, TIBCO LogLogic LX4025R2 Appliance 0.0.004, TIBCO LogLogic LX4035 Appliance 0.0.005, TIBCO LogLogic ST2025-SANR1 Appliance 0.0.004, TIBCO LogLogic ST2025-SANR2 Appliance 0.0.004, TIBCO LogLogic ST2035-SAN Appliance 0.0.005, TIBCO LogLogic ST4025R1 Appliance 0.0.004, TIBCO LogLogic ST4025R2 Appliance 0.0.004, and TIBCO LogLogic ST4035 Appliance 0.0.005 using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below. | |||||
| CVE-2019-11457 | 1 Micropyramid | 1 Django Crm | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/. | |||||
| CVE-2019-1003016 | 1 Jenkins | 1 Job Import | 2019-10-09 | 4.3 MEDIUM | 8.8 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10386 | 1 Jenkins | 1 Xl Testview | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10340 | 1 Jenkins | 1 Docker | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-1003008 | 1 Jenkins | 1 Warnings Next Generation | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint. | |||||
| CVE-2019-1003007 | 1 Jenkins | 1 Warnings | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint. | |||||
| CVE-2019-10368 | 1 Jenkins | 1 Jclouds | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-8925 | 1 Synology | 1 Photo Station | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter. | |||||
| CVE-2018-7677 | 1 Netiq | 1 Access Manager | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component. | |||||
| CVE-2018-7524 | 1 Geutebrueck | 4 G-cam\/efd-2250, G-cam\/efd-2250 Firmware, Topfd-2125 and 1 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an unauthorized user to be added to the system. | |||||