Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14930 | 1 Polarisft | 1 Intellect Core Banking | 2019-05-03 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Armor module in Polaris FT Intellect Core Banking 9.7.1. CSRF can occur via a /CollatWebApp/gcmsRefInsert?name=SUPP URI. | |||||
| CVE-2019-11617 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 6.8 MEDIUM | 8.8 HIGH |
| doorGets 7.0 has a CSRF vulnerability in /doorgets/app/requests/user/configurationRequest.php. A remote attacker can exploit this vulnerability for "Google Analytics code" modification. | |||||
| CVE-2018-15206 | 1 Bpcbt | 1 Smartvista | 2019-05-01 | 6.8 MEDIUM | 8.8 HIGH |
| BPC SmartVista 2 has CSRF via SVFE2/pages/admpages/roles/createrole.jsf. | |||||
| CVE-2017-1000499 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-04-30 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. | |||||
| CVE-2017-18042 | 1 Atlassian | 1 Bamboo | 2019-04-29 | 6.8 MEDIUM | 8.8 HIGH |
| The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-11456 | 1 Gilacms | 1 Gila Cms | 2019-04-26 | 6.8 MEDIUM | 8.8 HIGH |
| Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. | |||||
| CVE-2019-11374 | 1 74cms | 1 74cms | 2019-04-26 | 6.8 MEDIUM | 8.8 HIGH |
| 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI. | |||||
| CVE-2016-5758 | 1 Netiq | 1 Access Manager | 2019-04-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load. | |||||
| CVE-2017-9963 | 1 Schneider-electric | 1 Powerscada Anywhere | 2019-04-23 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. | |||||
| CVE-2018-19969 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-04-22 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. | |||||
| CVE-2019-10642 | 1 Contao | 1 Contao Cms | 2019-04-18 | 6.8 MEDIUM | 8.8 HIGH |
| Contao 4.7 allows CSRF. | |||||
| CVE-2016-8201 | 1 Brocade | 1 Virtual Traffic Manager | 2019-04-17 | 6.0 MEDIUM | 8.0 HIGH |
| A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster. | |||||
| CVE-2018-16365 | 1 Idreamsoft | 1 Icms | 2019-04-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF. | |||||
| CVE-2016-4469 | 1 Apache | 1 Archiva | 2019-04-16 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new repository proxy connectors via the token parameter to admin/addProxyConnector_commit.action, (2) new repositories via the token parameter to admin/addRepository_commit.action, (3) edit existing repositories via the token parameter to admin/editRepository_commit.action, (4) add legacy artifact paths via the token parameter to admin/addLegacyArtifactPath_commit.action, (5) change the organizational appearance via the token parameter to admin/saveAppearance.action, or (6) upload new artifacts via the token parameter to upload_submit.action. | |||||
| CVE-2017-5657 | 1 Apache | 1 Archiva | 2019-04-16 | 6.0 MEDIUM | 8.0 HIGH |
| Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights). | |||||
| CVE-2018-16366 | 1 Idreamsoft | 1 Icms | 2019-04-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=user&do=save allows CSRF. | |||||
| CVE-2018-1999027 | 1 Jenkins | 1 Saltstack | 2019-04-16 | 6.8 MEDIUM | 7.5 HIGH |
| An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |||||
| CVE-2017-18366 | 1 Intelliants | 1 Subrion Cms | 2019-04-15 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.1.5 has CSRF in blog/delete/. | |||||
| CVE-2019-0229 | 1 Apache | 1 Airflow | 2019-04-11 | 6.8 MEDIUM | 8.8 HIGH |
| A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks. | |||||
| CVE-2019-11078 | 1 Mkcms Project | 1 Mkcms | 2019-04-11 | 6.8 MEDIUM | 8.8 HIGH |
| MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the ucenter/userinfo.php URI. | |||||
| CVE-2019-10888 | 1 Ukcms | 1 Ukcms | 2019-04-07 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF Issue that can add an admin user was discovered in UKcms v1.1.10 via admin.php/admin/role/add.html. | |||||
| CVE-2014-7198 | 1 Openmicroscopy | 1 Omero | 2019-04-01 | 6.8 MEDIUM | 8.8 HIGH |
| OMERO before 5.0.6 has multiple CSRF vulnerabilities because the framework for OMERO's web interface lacks CSRF protection. | |||||
| CVE-2019-10644 | 1 Hyphp | 1 Hybbs | 2019-04-01 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in HYBBS 2.2. /?admin/user.html has a CSRF vulnerability that can add an administrator account. | |||||
| CVE-2019-9604 | 1 Online Lottery Php Readymade Script Project | 1 Online Lottery Php Readymade Script | 2019-04-01 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-Site Request Forgery (CSRF) for Edit Profile actions. | |||||
| CVE-2019-9787 | 1 Wordpress | 1 Wordpress | 2019-03-31 | 6.8 MEDIUM | 8.8 HIGH |
| WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. | |||||
| CVE-2018-11406 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2019-03-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. | |||||
| CVE-2019-7391 | 1 Zyxel | 4 Dsl-491hnu-b10b, Dsl-491hnu-b10b Firmware, Dsl-491hnu-b1b V2 and 1 more | 2019-03-29 | 6.8 MEDIUM | 8.8 HIGH |
| ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF. | |||||
| CVE-2019-10237 | 1 S-cms | 1 S-cms | 2019-03-28 | 6.8 MEDIUM | 8.8 HIGH |
| S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040. | |||||
| CVE-2018-14575 | 1 Mybb | 1 Trash Bin | 2019-03-26 | 6.8 MEDIUM | 8.8 HIGH |
| Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. | |||||
| CVE-2018-20641 | 1 Entrepreneur Job Portal Script Project | 1 Entrepreneur Job Portal Script | 2019-03-25 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature. | |||||
| CVE-2018-20644 | 1 Basic B2b Script Project | 1 Basic B2b Script | 2019-03-25 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Basic B2B Script 2.0.9 has Cross-Site Request Forgery (CSRF) via the Edit profile feature. | |||||
| CVE-2019-7433 | 1 Rental Bike Script Project | 1 Rental Bike Script | 2019-03-22 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Rental Bike Script 2.0.3 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature. | |||||
| CVE-2018-20648 | 1 Car Rental Script Project | 1 Car Rental Script | 2019-03-22 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Car Rental Script 2.0.8 has Cross-Site Request Forgery (CSRF) via accountedit.php. | |||||
| CVE-2019-6967 | 1 Airties | 2 Air 5341, Air 5341 Firmware | 2019-03-22 | 6.8 MEDIUM | 8.8 HIGH |
| AirTies Air5341 1.0.0.12 devices allow cgi-bin/login CSRF. | |||||
| CVE-2018-20633 | 1 Advance B2b Script Project | 1 Advance B2b Script | 2019-03-21 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Advance B2B Script 2.1.4 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature. | |||||
| CVE-2018-20231 | 1 Simbahosting | 1 Two-factor-authentication | 2019-03-15 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation. | |||||
| CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 6.8 MEDIUM | 8.8 HIGH |
| In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | |||||
| CVE-2019-5920 | 1 Ncrafts | 1 Formcraft | 2019-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in FormCraft 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page. | |||||
| CVE-2017-15730 | 1 Phpmyfaq | 1 Phpmyfaq | 2019-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. | |||||
| CVE-2019-9769 | 1 Kartatopia | 1 Piluscart | 2019-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| PilusCart 1.4.1 is vulnerable to index.php?module=users&action=newUser CSRF, leading to the addition of a new user as administrator. | |||||
| CVE-2017-6081 | 1 Zammad | 1 Zammad | 2019-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie. | |||||
| CVE-2015-4593 | 1 Eclinicalworks | 1 Population Health | 2019-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and deletion of users, appointments and employees. | |||||
| CVE-2017-6069 | 1 Intelliants | 1 Subrion Cms | 2019-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add any tag, and can optionally insert XSS via the tags parameter. | |||||
| CVE-2017-6066 | 1 Intelliants | 1 Subrion Cms | 2019-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker can perform any Edit Language action, and can optionally insert XSS via the title parameter. | |||||
| CVE-2017-6068 | 1 Intelliants | 1 Subrion Cms | 2019-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter. | |||||
| CVE-2019-9625 | 1 Directadmin | 1 Directadmin | 2019-03-12 | 6.8 MEDIUM | 8.8 HIGH |
| JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account. | |||||
| CVE-2019-9688 | 1 Sftnow | 1 Sftnow | 2019-03-11 | 6.8 MEDIUM | 8.8 HIGH |
| sftnow through 2018-12-29 allows index.php?g=Admin&m=User&a=add_post CSRF to add an admin account. | |||||
| CVE-2019-9652 | 1 Sdcms | 1 Sdcms | 2019-03-11 | 6.8 MEDIUM | 8.8 HIGH |
| There is a CSRF in SDCMS V1.7 via an m=admin&c=theme&a=edit request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the t2 parameter. | |||||
| CVE-2019-8437 | 1 Njiandan-cms Project | 1 Njiandan-cms | 2019-03-08 | 6.8 MEDIUM | 8.8 HIGH |
| njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to add an administrator. | |||||
| CVE-2019-6710 | 1 Zyxel | 2 Nbg-418n, Nbg-418n Firmware | 2019-03-08 | 6.8 MEDIUM | 8.8 HIGH |
| Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF. | |||||