Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1213 | 1 Dell | 1 Emc Isilon Onefs | 2018-04-19 | 6.8 MEDIUM | 8.8 HIGH |
| Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit this vulnerability to send unauthorized requests to the server on behalf of authenticated users of the application. | |||||
| CVE-2014-2274 | 1 Subscribe To Comments Reloaded Project | 1 Subscribe To Comments Reloaded | 2018-04-18 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Subscribe To Comments Reloaded plugin before 140219 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via a request to the subscribe-to-comments-reloaded/options/index.php page to wp-admin/admin.php. | |||||
| CVE-2018-9923 | 1 Icmsdev | 1 Icms | 2018-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. | |||||
| CVE-2014-1457 | 1 Openwebanalytics | 1 Open Web Analytics | 2018-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name. | |||||
| CVE-2014-2550 | 1 Disable Comments | 1 Disable Comments Project | 2018-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Disable Comments plugin before 1.0.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that enable comments via a request to the disable_comments_settings page to wp-admin/options-general.php. | |||||
| CVE-2018-10031 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 6.8 MEDIUM | 8.8 HIGH |
| CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php. | |||||
| CVE-2018-10030 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-13 | 6.8 MEDIUM | 8.8 HIGH |
| CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. | |||||
| CVE-2017-17960 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php. | |||||
| CVE-2018-1000137 | 1 I-librarian | 1 I Librarian | 2018-04-12 | 6.8 MEDIUM | 8.8 HIGH |
| I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. | |||||
| CVE-2018-1000092 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-04-10 | 6.8 MEDIUM | 8.8 HIGH |
| CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6. | |||||
| CVE-2018-8717 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2018-04-09 | 6.8 MEDIUM | 8.8 HIGH |
| joyplus-cms 1.6.0 has CSRF, as demonstrated by adding an administrator account via a manager/admin_ajax.php?action=save&tab={pre}manager request. | |||||
| CVE-2018-1000082 | 1 Ajenti | 1 Ajenti | 2018-04-06 | 6.8 MEDIUM | 8.8 HIGH |
| Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed.. | |||||
| CVE-2018-1000093 | 1 Cryptonote | 1 Cryptonote | 2018-04-05 | 6.8 MEDIUM | 8.8 HIGH |
| CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the cryptocurrency wallet if an attacker can trick an application such as a web browser into connecting and sending a command for example. This attack appears to be exploitable via a victim visiting a webpage hosting malicious content that trigger such behavior. | |||||
| CVE-2018-6224 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 6.8 MEDIUM | 8.8 HIGH |
| A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain. | |||||
| CVE-2018-7307 | 1 Auth0 | 1 Auth0.js | 2018-03-28 | 6.8 MEDIUM | 8.8 HIGH |
| The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter. | |||||
| CVE-2017-7641 | 1 Qnap | 2 Media Streaming Add-on, Qts | 2018-03-27 | 6.8 MEDIUM | 8.8 HIGH |
| QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utilize CSRF protections. | |||||
| CVE-2018-7733 | 1 Yxtcmf | 1 Yxtcmf | 2018-03-26 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html. | |||||
| CVE-2018-7565 | 1 Polycom | 2 Qdx 6000, Qdx 6000 Firmware | 2018-03-26 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists on Polycom QDX 6000 devices. | |||||
| CVE-2016-0272 | 1 Ibm | 1 Financial Transaction Manager | 2018-03-26 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to hijack the authentication of arbitrary users via unspecified vectors. IBM X-Force ID: 111052. | |||||
| CVE-2018-7634 | 1 Enalean | 1 Tuleap | 2018-03-22 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover. | |||||
| CVE-2017-12415 | 1 Oxid-esales | 1 Eshop | 2018-03-16 | 5.1 MEDIUM | 7.5 HIGH |
| OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order. | |||||
| CVE-2016-0295 | 1 Ibm | 1 Bigfix Platform | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363. | |||||
| CVE-2018-7590 | 1 Hoosk | 1 Hoosk | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation. | |||||
| CVE-2018-0520 | 1 Fsi | 2 Fs010w, Fs010w Firmware | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2018-7308 | 1 Hosting Project | 1 Hosting | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. | |||||
| CVE-2018-7216 | 1 Tejari | 1 Bravo Solution | 2018-03-16 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens. | |||||
| CVE-2018-7219 | 1 5none | 1 Nonecms | 2018-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request. | |||||
| CVE-2018-7176 | 1 Frontaccounting | 1 Frontaccounting | 2018-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page). | |||||
| CVE-2018-6941 | 1 Nat32 | 1 Nat32 | 2018-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS. | |||||
| CVE-2017-17552 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2018-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | |||||
| CVE-2017-5796 | 1 Hp | 10 J9623a, J9623a Firmware, J9624a and 7 more | 2018-03-12 | 9.3 HIGH | 8.8 HIGH |
| A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found. | |||||
| CVE-2017-16756 | 1 Userscape | 1 Helpspot | 2018-03-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint. This allows an attacker to change the password of another user's HelpSpot account. | |||||
| CVE-2016-0348 | 1 Ibm | 1 Tririga Application Platform | 2018-03-09 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813. | |||||
| CVE-2018-1000053 | 1 Limesurvey | 1 Limesurvey | 2018-03-08 | 6.8 MEDIUM | 8.8 HIGH |
| LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. | |||||
| CVE-2016-8513 | 1 Hp | 1 Version Control Repository Manager | 2018-03-07 | 6.0 MEDIUM | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in HPE Version Control Repository Manager (VCRM) was found. The problem impacts all versions prior to 7.6. | |||||
| CVE-2018-6888 | 1 Typesettercms | 1 Typesetter | 2018-03-06 | 6.0 MEDIUM | 8.0 HIGH |
| An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token. | |||||
| CVE-2017-5781 | 1 Hp | 1 Matrix Operating Environment | 2018-03-05 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. | |||||
| CVE-2018-6288 | 1 Kaspersky | 1 Secure Mail Gateway | 2018-03-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1. | |||||
| CVE-2018-6467 | 1 Flickrrss Project | 1 Flickrrss | 2018-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php. | |||||
| CVE-2014-9502 | 1 Open Atrium Project | 1 Open Atrium | 2018-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks. | |||||
| CVE-2017-4951 | 1 Vmware | 1 Airwatch | 2018-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices. | |||||
| CVE-2018-6408 | 1 Conceptronic | 3 Cipcamptiwl, Cipcamptiwl Firmware, Cipcamptiwl Web Firmware | 2018-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account. | |||||
| CVE-2015-4179 | 1 Codestyling Localization Project | 1 Codestyling Localization | 2018-02-26 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress. | |||||
| CVE-2017-9414 | 1 Subsonic | 1 Subsonic | 2018-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view. | |||||
| CVE-2018-5720 | 1 Dodocool | 2 Dc38, Dc38 Firmware | 2018-02-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc. | |||||
| CVE-2016-4319 | 1 Atlassian | 1 Jira | 2018-02-16 | 6.8 MEDIUM | 8.8 HIGH |
| Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. | |||||
| CVE-2018-6007 | 1 Joomsky | 1 Js Support Ticket | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket. | |||||
| CVE-2017-1000356 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | |||||
| CVE-2016-7034 | 1 Redhat | 1 Jboss Bpm Suite | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. | |||||
| CVE-2018-6391 | 1 Netis-systems | 2 Wf2419, Wf2419 Firmware | 2018-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings. | |||||