Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11442 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in EasyService Billing 1.0, which was triggered via a quotation-new3-new2.php?add=true&id= URI, as demonstrated by adding a new quotation. | |||||
| CVE-2018-11405 | 1 Kliqqi | 1 Kliqqi Cms | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| Kliqqi 2.0.2 has CSRF in admin/admin_users.php. | |||||
| CVE-2018-11371 | 1 Skycaiji | 1 Skycaiji | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| SkyCaiji 1.2 allows CSRF to add an Administrator user. | |||||
| CVE-2018-11500 | 1 Publiccms | 1 Publiccms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account. | |||||
| CVE-2018-11493 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a friendship link via index.php?m=link&f=index&v=add. | |||||
| CVE-2018-11527 | 1 Cscms Project | 1 Cscms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CScms v4.1. A Cross-site request forgery (CSRF) vulnerability in plugins/sys/admin/Sys.php allows remote attackers to change the administrator's username and password via /admin.php/sys/editpass_save. | |||||
| CVE-2018-11670 | 1 Njtech | 1 Greencms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect. | |||||
| CVE-2018-11671 | 1 Njtech | 1 Greencms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle. | |||||
| CVE-2017-12126 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2018-06-19 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability. | |||||
| CVE-2018-11126 | 1 Doorgets | 1 Doorgets | 2018-06-19 | 6.8 MEDIUM | 8.8 HIGH |
| dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account. | |||||
| CVE-2018-11004 | 1 Sdcms | 1 Sdcms | 2018-06-18 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add. | |||||
| CVE-2018-11018 | 1 Pbootcms | 1 Pbootcms | 2018-06-18 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html. | |||||
| CVE-2018-6023 | 1 Fastweb | 2 Fastgate, Fastgate Firmware | 2018-06-14 | 6.8 MEDIUM | 8.8 HIGH |
| Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts including Wi-Fi password changing, Guest Wi-Fi activating, etc. | |||||
| CVE-2018-6458 | 1 Ehcp | 1 Easy Hosting Control Panel | 2018-06-13 | 6.8 MEDIUM | 8.8 HIGH |
| Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | |||||
| CVE-2013-0185 | 1 Redhat | 1 Manageiq Enterprise Virtualization Manager | 2018-06-13 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. | |||||
| CVE-2018-10957 | 1 D-link | 2 Dir-868l, Dir-868l Firmware | 2018-06-13 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components. | |||||
| CVE-2018-10166 | 1 Tp-link | 1 Eap Controller | 2018-06-12 | 6.8 MEDIUM | 8.8 HIGH |
| The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows. | |||||
| CVE-2018-1479 | 1 Ibm | 1 Bigfix Platform | 2018-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 140761. | |||||
| CVE-2018-10267 | 1 Wtcms Project | 1 Wtcms | 2018-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI. | |||||
| CVE-2018-10295 | 1 Chemcms Project | 1 Chemcms | 2018-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account. | |||||
| CVE-2018-10265 | 1 Hongcms Project | 1 Hongcms | 2018-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI. | |||||
| CVE-2018-10266 | 1 Beescms | 1 Beescms | 2018-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user URI. | |||||
| CVE-2016-9092 | 1 Symantec | 2 Content Analysis, Mail Threat Defense | 2018-05-25 | 6.8 MEDIUM | 8.8 HIGH |
| The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail Threat Defense (MTD) 1.1 management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote attacker can use phishing or other social engineering techniques to access the management console with the privileges of an authenticated administrator user. | |||||
| CVE-2018-10312 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-05-24 | 6.8 MEDIUM | 8.8 HIGH |
| index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member. | |||||
| CVE-2018-10222 | 1 Icmsdev | 1 Icms | 2018-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP. | |||||
| CVE-2018-10137 | 1 Iscripts | 1 Uberforx | 2018-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI. | |||||
| CVE-2018-10132 | 1 Pbootcms | 1 Pbootcms | 2018-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter. | |||||
| CVE-2018-10249 | 1 Baijiacms Project | 1 Baijiacms | 2018-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name=manager&do=user to add an administrator account. | |||||
| CVE-2018-10188 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-05-21 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php. | |||||
| CVE-2018-10185 | 1 Tuzicms | 1 Tuzicms | 2018-05-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call. | |||||
| CVE-2016-5809 | 1 Schneider-electric | 6 Ion5000, Ion7300, Ion7500 and 3 more | 2018-05-20 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved. | |||||
| CVE-2018-10117 | 1 Icmsdev | 1 Icms | 2018-05-18 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP. | |||||
| CVE-2015-0151 | 1 D-link | 2 Dir-815, Dir-815 Firmware | 2018-05-16 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | |||||
| CVE-2018-1000153 | 1 Jenkins | 1 Vsphere | 2018-05-15 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). | |||||
| CVE-2018-6874 | 1 Auth0 | 1 Auth0.js | 2018-05-15 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled. | |||||
| CVE-2018-9856 | 1 Kotti Project | 1 Kotti | 2018-05-15 | 6.8 MEDIUM | 8.8 HIGH |
| Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request. | |||||
| CVE-2017-0362 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-15 | 6.8 MEDIUM | 8.8 HIGH |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | |||||
| CVE-2018-10127 | 1 Xyhcms Project | 1 Xyhcms | 2018-05-11 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role. | |||||
| CVE-2018-6934 | 1 Ordermanagementscript | 1 Online Tutoring Script | 2018-05-11 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3. | |||||
| CVE-2014-5072 | 1 Wpsecurityauditlog | 1 Wp Security Audit Log | 2018-05-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2014-5034 | 1 Fresh-media | 1 Brute Force Login Protection | 2018-05-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection page to wp-admin/options-general.php. | |||||
| CVE-2018-8908 | 1 Frog Cms Project | 1 Frog Cms | 2018-05-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin privileges. This happens due to lack of an anti-CSRF token in state modification requests. | |||||
| CVE-2018-10048 | 1 Iscripts | 1 Eswap | 2018-05-09 | 6.8 MEDIUM | 8.8 HIGH |
| iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel. | |||||
| CVE-2018-8893 | 1 Zblogcn | 1 Z-blogphp | 2018-05-01 | 6.8 MEDIUM | 8.8 HIGH |
| Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code. | |||||
| CVE-2018-8972 | 1 Creditwestbank | 1 Cwcms | 2018-04-24 | 6.8 MEDIUM | 8.8 HIGH |
| Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters. | |||||
| CVE-2018-9134 | 1 Dedecms | 1 Dedecms | 2018-04-23 | 6.8 MEDIUM | 8.8 HIGH |
| file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters. | |||||
| CVE-2015-2009 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2018-04-23 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi service in IBM QRadar SIEM 7.1 before MR2 Patch 11 Interim Fix 02 and 7.2.x before 7.2.5 Patch 4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences via vectors related to webmin. IBM X-Force ID: 103921. | |||||
| CVE-2018-9108 | 1 Quickappscms | 1 Quickapps Cms | 2018-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges. | |||||
| CVE-2018-8764 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2018-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging. | |||||
| CVE-2018-7700 | 1 Dedecms | 1 Dedecms | 2018-04-19 | 6.8 MEDIUM | 8.8 HIGH |
| DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code. | |||||