Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17429 | 1 Jtbc | 1 Jtbc | 2019-03-08 | 6.8 MEDIUM | 8.8 HIGH |
| /console/account/manage.php?type=action&action=add in JTBC v3.0(C) has CSRF for adding an administrator account. | |||||
| CVE-2018-18449 | 1 Phome | 1 Empirecms | 2019-03-08 | 6.8 MEDIUM | 8.8 HIGH |
| EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339. | |||||
| CVE-2018-5673 | 1 Booking Calendar Project | 1 Booking Calendar | 2019-03-05 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php. | |||||
| CVE-2018-8718 | 1 Jenkins | 1 Mailer | 2019-03-04 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. | |||||
| CVE-2018-19138 | 1 Wstmart | 1 Wstmart | 2019-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| WSTMart 2.0.7 has CSRF via the index.php/admin/staffs/add.html URI. | |||||
| CVE-2019-9549 | 1 Popojicms | 1 Popojicms | 2019-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=user&act=addnew URI, as demonstrated by adding a level=1 account, a similar issue to CVE-2018-18935. | |||||
| CVE-2018-9927 | 1 Wuzhicms | 1 Wuzhicms | 2019-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. | |||||
| CVE-2018-9926 | 1 Wuzhicms | 1 Wuzhicms | 2019-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. | |||||
| CVE-2019-9182 | 1 Zzzcms | 1 Zzzphp | 2019-02-26 | 6.8 MEDIUM | 8.8 HIGH |
| There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter. | |||||
| CVE-2018-16634 | 1 Pluck-cms | 1 Pluck | 2019-02-26 | 6.8 MEDIUM | 8.8 HIGH |
| Pluck v4.7.7 allows CSRF via admin.php?action=settings. | |||||
| CVE-2018-16447 | 1 Frogcms Project | 1 Frogcms | 2019-02-25 | 6.8 MEDIUM | 8.8 HIGH |
| Frog CMS 0.9.5 has admin/?/user/edit/1 CSRF. | |||||
| CVE-2019-9040 | 1 S-cms | 1 S-cms | 2019-02-25 | 6.8 MEDIUM | 8.8 HIGH |
| S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332. | |||||
| CVE-2019-1000022 | 1 Taoensso | 1 Sente | 2019-02-20 | 6.8 MEDIUM | 8.8 HIGH |
| Taoensso Sente version Prior to version 1.14.0 contains a Cross Site Request Forgery (CSRF) vulnerability in WebSocket handshake endpoint that can result in CSRF attack, possible leak of anti-CSRF token. This attack appears to be exploitable via malicious request against WebSocket handshake endpoint. This vulnerability appears to have been fixed in 1.14.0 and later. | |||||
| CVE-2019-0267 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2019-02-20 | 6.8 MEDIUM | 8.8 HIGH |
| SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application. | |||||
| CVE-2019-8910 | 1 Wtcms Project | 1 Wtcms | 2019-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=site_post CSRF. | |||||
| CVE-2019-1000003 | 1 Mapsvg | 1 Mapsvg Lite | 2019-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later. | |||||
| CVE-2018-6907 | 1 Rainmachine | 1 Rainmachine Web Application | 2019-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via the REST API. | |||||
| CVE-2019-8347 | 1 Beescms | 1 Beescms | 2019-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI. | |||||
| CVE-2018-1000858 | 2 Canonical, Gnupg | 2 Ubuntu Linux, Gnupg | 2019-02-13 | 6.8 MEDIUM | 8.8 HIGH |
| GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. | |||||
| CVE-2019-7737 | 1 Verydows | 1 Verydows | 2019-02-12 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit. | |||||
| CVE-2018-20780 | 1 Traq | 1 Traq | 2019-02-11 | 6.8 MEDIUM | 8.8 HIGH |
| Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka group_id=1). | |||||
| CVE-2019-7569 | 1 Wdoyo | 1 Doyo | 2019-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in DOYO (aka doyocms) 2.3(20140425 update). There is a CSRF vulnerability that can add a super administrator account via admin.php?c=a_adminuser&a=add&run=1. | |||||
| CVE-2019-7566 | 1 Cszcms | 1 Csz Cms | 2019-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| CSZ CMS 1.1.8 has CSRF via admin/users/new/add. | |||||
| CVE-2018-1000843 | 1 Spotify | 1 Luigi | 2019-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later. | |||||
| CVE-2019-7346 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful. | |||||
| CVE-2018-19135 | 1 Clippercms | 1 Clippercms | 2019-01-30 | 6.8 MEDIUM | 8.8 HIGH |
| ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatically upload files (by default, it allows html, pdf, xml, zip, and many other file types). A file can be accessed publicly under the "/assets/files" directory. | |||||
| CVE-2017-17835 | 1 Apache | 1 Airflow | 2019-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow. | |||||
| CVE-2019-6779 | 1 Chshcms | 1 Cscms | 2019-01-25 | 5.8 MEDIUM | 8.1 HIGH |
| Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links. | |||||
| CVE-2019-6244 | 1 Usualtool | 1 Usualtoolcms | 2019-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in UsualToolCMS 8.0. cmsadmin/a_sqlbackx.php?t=sql allows CSRF attacks that can execute SQL statements, and consequently execute arbitrary PHP code by writing that code into a .php file. | |||||
| CVE-2018-20228 | 1 Subsonic | 1 Subsonic | 2019-01-24 | 6.0 MEDIUM | 8.0 HIGH |
| Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. | |||||
| CVE-2019-6507 | 1 Creditease-sec | 1 Insight | 2019-01-23 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in creditease-sec insight through 2018-09-11. login_user_delete in srcpm/app/admin/views.py allows CSRF. | |||||
| CVE-2019-6510 | 1 Creditease-sec | 1 Insight | 2019-01-23 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows CSRF. | |||||
| CVE-2019-6509 | 1 Creditease-sec | 1 Insight | 2019-01-23 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in creditease-sec insight through 2018-09-11. depart_delete in srcpm/app/admin/views.py allows CSRF. | |||||
| CVE-2019-6508 | 1 Creditease-sec | 1 Insight | 2019-01-23 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in creditease-sec insight through 2018-09-11. role_perm_delete in srcpm/app/admin/views.py allows CSRF. | |||||
| CVE-2018-1000417 | 1 Jenkins | 1 Email Extension Template | 2019-01-22 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates. | |||||
| CVE-2018-1000414 | 1 Jenkins | 1 Config File Provider | 2019-01-22 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions. | |||||
| CVE-2018-20728 | 1 Nedi | 1 Nedi | 2019-01-22 | 6.8 MEDIUM | 8.8 HIGH |
| A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp3 allows remote attackers to escalate privileges via User-Management.php. | |||||
| CVE-2016-10738 | 1 Castlamp | 1 Zenbership | 2019-01-18 | 6.8 MEDIUM | 8.8 HIGH |
| Zenbership v107 has CSRF via admin/cp-functions/event-add.php. | |||||
| CVE-2019-6249 | 1 Hucart | 1 Hucart | 2019-01-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add. | |||||
| CVE-2019-6294 | 1 Easycms | 1 Easycms | 2019-01-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI. | |||||
| CVE-2018-20612 | 1 Asthis | 1 Universal Website Asthis | 2019-01-16 | 6.8 MEDIUM | 8.8 HIGH |
| UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSRF. | |||||
| CVE-2018-19182 | 1 Engelsystem | 1 Engelsystem | 2019-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| Engelsystem before commit hash 2e28336 allows CSRF. | |||||
| CVE-2018-20595 | 1 Hsweb | 1 Hsweb | 2019-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. | |||||
| CVE-2018-20419 | 1 Douco | 1 Douphp | 2019-01-11 | 6.8 MEDIUM | 8.8 HIGH |
| DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account. | |||||
| CVE-2018-19923 | 1 Sales \& Company Management System Project | 1 Sales \& Company Management System | 2019-01-11 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF. | |||||
| CVE-2018-20603 | 1 Lfdycms | 1 Lei Feng Tv Cms | 2019-01-10 | 6.8 MEDIUM | 8.8 HIGH |
| Lei Feng TV CMS (aka LFCMS) 3.8.6 allows admin.php?s=/Member/add.html CSRF. | |||||
| CVE-2018-20613 | 1 Temmoku Project | 1 Temmoku | 2019-01-10 | 6.8 MEDIUM | 8.8 HIGH |
| TEMMOKU T1.09 Beta allows admin/user/add CSRF. | |||||
| CVE-2018-18842 | 1 Zblogcn | 1 Z-blogphp | 2019-01-09 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code. | |||||
| CVE-2018-1000846 | 1 Freshdns Project | 1 Freshdns | 2019-01-08 | 6.8 MEDIUM | 8.8 HIGH |
| FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later. | |||||
| CVE-2018-20188 | 1 Thedaylightstudio | 1 Fuel Cms | 2019-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. | |||||