Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12851 | 1 Jetbrains | 1 Youtrack | 2019-07-10 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852. | |||||
| CVE-2018-11427 | 1 Moxa | 4 Oncell G3150-hspa, Oncell G3150-hspa-t, Oncell G3150-hspa-t Firmware and 1 more | 2019-07-10 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator. | |||||
| CVE-2019-13401 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/. | |||||
| CVE-2019-13370 | 1 Ignitedcms Project | 1 Ignitedcms | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. | |||||
| CVE-2019-13183 | 1 Flarum | 1 Flarum | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. | |||||
| CVE-2019-5971 | 1 Sukimalab | 1 Attendance Manager | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2019-5968 | 1 Weseek | 1 Growi | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'. | |||||
| CVE-2019-5984 | 1 Waspthemes | 1 Custom Css Pro | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0.3 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2019-5983 | 1 Fla-shop | 1 Html5 Maps | 2019-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2019-5960 | 1 Custom4web | 1 Wp Open Graph | 2019-07-08 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in WP Open Graph 1.6.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2018-10986 | 1 Open-xchange | 1 Ox Guard | 2019-07-05 | 6.8 MEDIUM | 8.8 HIGH |
| OX Guard 2.8.0 has CSRF. | |||||
| CVE-2019-9958 | 1 Quadbase | 1 Espressreport Enterprise Server | 2019-07-03 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin's session to process their requests. | |||||
| CVE-2019-13056 | 1 Cyberpanel | 1 Cyberpanel | 2019-07-03 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection. | |||||
| CVE-2018-1858 | 1 Ibm | 1 Api Connect | 2019-06-27 | 6.8 MEDIUM | 8.8 HIGH |
| IBM API Connect 5.0.0.0 through 5.0.8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 151256. | |||||
| CVE-2019-12836 | 1 Bobronix | 1 Jeditor | 2019-06-25 | 6.8 MEDIUM | 8.8 HIGH |
| The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover. | |||||
| CVE-2019-1874 | 1 Cisco | 1 Prime Service Catalog | 2019-06-24 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2018-17387 | 1 Ranksol | 1 Nimble Professional | 2019-06-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in Nimble Messaging Bulk SMS Marketing Application 1.0 for adding an admin account. | |||||
| CVE-2017-8328 | 1 Securifi | 6 Almond, Almond\+, Almond\+firmware and 3 more | 2019-06-21 | 9.3 HIGH | 8.8 HIGH |
| An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue. | |||||
| CVE-2017-8334 | 1 Securifi | 6 Almond, Almond\+, Almond\+firmware and 3 more | 2019-06-21 | 6.0 MEDIUM | 8.0 HIGH |
| An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking IP addresses using the web management interface. It seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site scripting payload on the user's browser and execute any action on the device provided by the web management interface. | |||||
| CVE-2017-9381 | 1 Getvera | 4 Veraedge, Veraedge Firmware, Veralite and 1 more | 2019-06-20 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who navigates to an attacker controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device. | |||||
| CVE-2018-17389 | 1 Ranksol | 1 Live Call Support | 2019-06-20 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in server.php in Live Call Support Application 1.5 for adding an admin account. | |||||
| CVE-2018-18802 | 1 Tubigan | 1 Welcome To Our Resort | 2019-06-18 | 6.8 MEDIUM | 8.8 HIGH |
| The Tubigan "Welcome to our Resort" 1.0 software allows CSRF via admin/mod_users/controller.php?action=edit. | |||||
| CVE-2019-6325 | 1 Hp | 20 T6b80a, T6b80a Firmware, T6b81a and 17 more | 2019-06-18 | 6.8 MEDIUM | 8.8 HIGH |
| HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v. 20190419), HP LaserJet Pro MFP M28-M31 Printer series (before v. 20190426) may have an embedded web server that is potentially vulnerable to Cross-site Request Forgery. | |||||
| CVE-2019-10338 | 1 Jenkins | 1 Jx Resources | 2019-06-13 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. | |||||
| CVE-2018-10696 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2019-06-11 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. | |||||
| CVE-2018-8817 | 1 Wampserver | 1 Wampserver | 2019-06-10 | 6.8 MEDIUM | 8.8 HIGH |
| Wampserver before 3.1.3 has CSRF in add_vhost.php. | |||||
| CVE-2018-1000206 | 1 Jfrog | 1 Artifactory | 2019-06-03 | 6.8 MEDIUM | 8.8 HIGH |
| JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1. | |||||
| CVE-2018-16218 | 1 Yealink | 2 Ultra-elegant Ip Phone Sip-t41p, Ultra-elegant Ip Phone Sip-t41p Firmware | 2019-05-31 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF (Cross Site Request Forgery) in the web interface of the Yeahlink Ultra-elegant IP Phone SIP-T41P firmware version 66.83.0.35 allows a remote attacker to trigger code execution or settings modification on the device by providing a crafted link to the victim. | |||||
| CVE-2019-12502 | 1 Mobotix | 2 S14, S14 Firmware | 2019-05-31 | 9.3 HIGH | 8.8 HIGH |
| There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 cameras, as demonstrated by adding an admin account via the /admin/access URI. | |||||
| CVE-2017-1000479 | 2 Netgate, Opnsense Project | 2 Pfsense, Opnsense | 2019-05-30 | 6.8 MEDIUM | 8.8 HIGH |
| pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions. | |||||
| CVE-2016-10757 | 1 Readaxo | 1 Readaxo | 2019-05-28 | 6.8 MEDIUM | 8.8 HIGH |
| In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php. | |||||
| CVE-2018-7828 | 1 Schneider-electric | 118 D6220, D6220 Firmware, D6220l and 115 more | 2019-05-28 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera when an authenticated user clicks a specially crafted malicious link while logged into the camera. | |||||
| CVE-2016-10756 | 1 Kliqqi | 1 Kliqqi Cms | 2019-05-28 | 6.8 MEDIUM | 8.8 HIGH |
| Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files, and then modules/upload/upload_main.php can be used for the upload itself. | |||||
| CVE-2017-1000244 | 1 Jenkins | 1 Favorite | 2019-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification | |||||
| CVE-2018-16136 | 1 Ipbrick | 1 Ipbrick Os | 2019-05-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the administrator interface in IPBRICK OS 6.3. The application doesn't check for Anti-CSRF tokens, allowing the submission of multiple forms unwillingly by a victim. | |||||
| CVE-2018-18696 | 1 Microstrategy | 1 Microstrategy | 2019-05-15 | 6.8 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their website, so they were unable to evaluate the report or explain how this is something their customers view as a feature and not a security vulnerability. | |||||
| CVE-2019-11886 | 1 Yellowpencil | 1 Visual Css Style Editor | 2019-05-15 | 6.8 MEDIUM | 8.8 HIGH |
| The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access. | |||||
| CVE-2017-12789 | 1 Metinfo | 1 Metinfo | 2019-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the malicious link in the login state. | |||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | |||||
| CVE-2019-7746 | 1 Jio | 2 Jmr1140, Jmr1140 Firmware | 2019-05-08 | 4.3 MEDIUM | 8.1 HIGH |
| JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset. | |||||
| CVE-2018-5123 | 1 Mozilla | 1 Bugzilla | 2019-05-08 | 6.8 MEDIUM | 8.8 HIGH |
| A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4. | |||||
| CVE-2018-4066 | 1 Sierrawireless | 2 Airlink Es450, Airlink Es450 Firmware | 2019-05-07 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability. | |||||
| CVE-2019-11569 | 1 Veeam | 1 One Reporter | 2019-05-07 | 6.8 MEDIUM | 8.8 HIGH |
| Veeam ONE Reporter 9.5.0.3201 allows CSRF. | |||||
| CVE-2019-10310 | 1 Jenkins | 1 Ansible Tower | 2019-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins | |||||
| CVE-2019-10300 | 1 Jenkins | 1 Gitlab | 2019-05-06 | 3.5 LOW | 8.0 HIGH |
| A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-1857 | 1 Cisco | 28 Hx220c Af M5, Hx220c Af M5 Firmware, Hx220c All Nvme M5 and 25 more | 2019-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user. | |||||
| CVE-2019-10315 | 1 Jenkins | 1 Github Authentication | 2019-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF. | |||||
| CVE-2018-1098 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2019-05-06 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send. | |||||
| CVE-2019-11416 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2019-05-06 | 9.3 HIGH | 8.8 HIGH |
| A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, leading to complete control of the router, as demonstrated by v1/system/user. | |||||
| CVE-2017-12970 | 1 Apache2triad | 1 Apache2triad | 2019-05-03 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack the authentication of authenticated users for requests that (1) add or (2) delete user accounts via a request to phpsftpd/users.php. | |||||