Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-5489 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. | |||||
| CVE-2017-5492 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. | |||||
| CVE-2016-5789 | 1 Jantek | 2 Jtc-200, Jtc-200 Firmware | 2017-11-03 | 6.0 MEDIUM | 8.0 HIGH |
| A Cross-site Request Forgery issue was discovered in JanTek JTC-200, all versions. An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. | |||||
| CVE-2017-1000090 | 1 Jenkins | 1 Role-based Authorization Strategy | 2017-11-02 | 6.8 MEDIUM | 8.8 HIGH |
| Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. | |||||
| CVE-2016-4430 | 1 Apache | 1 Struts | 2017-10-31 | 6.8 MEDIUM | 8.8 HIGH |
| Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | |||||
| CVE-2017-1218 | 1 Ibm | 1 Bigfix Platform | 2017-10-27 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Tivoli Endpoint Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123858. | |||||
| CVE-2017-15808 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-25 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. | |||||
| CVE-2017-15729 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary. | |||||
| CVE-2017-15731 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php. | |||||
| CVE-2017-15732 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php. | |||||
| CVE-2017-15733 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php. | |||||
| CVE-2017-15734 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. | |||||
| CVE-2017-15735 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-10-24 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. | |||||
| CVE-2016-6806 | 1 Apache | 1 Wicket | 2017-10-23 | 6.8 MEDIUM | 8.8 HIGH |
| Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed. | |||||
| CVE-2017-1000092 | 1 Jenkins | 1 Git | 2017-10-17 | 2.6 LOW | 7.5 HIGH |
| Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. | |||||
| CVE-2017-1000093 | 1 Jenkins | 1 Poll Scm | 2017-10-17 | 6.8 MEDIUM | 8.8 HIGH |
| Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. | |||||
| CVE-2015-2142 | 1 Phpbugtracker Project | 1 Phpbugtracker | 2017-10-12 | 6.0 MEDIUM | 8.0 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php. | |||||
| CVE-2015-2143 | 1 Phpbugtracker Project | 1 Phpbugtracker | 2017-10-11 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters. | |||||
| CVE-2017-14924 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2017-10-06 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php. | |||||
| CVE-2017-14925 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2017-10-06 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site. | |||||
| CVE-2015-7293 | 2 Plone, Zope | 2 Plone, Zope Management Interface | 2017-10-06 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x. | |||||
| CVE-2015-5607 | 2 Fedoraproject, Ipython | 2 Fedora, Ipython | 2017-10-05 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery in the REST API in IPython 2 and 3. | |||||
| CVE-2017-13129 | 1 Zkteco | 1 Zktime Web | 2017-10-03 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens. | |||||
| CVE-2017-7969 | 1 Schneider-electric | 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert | 2017-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. | |||||
| CVE-2014-6106 | 1 Ibm | 1 Security Identity Manager | 2017-09-22 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager 5.1, 6.0, and 7.0 allows remote attackers to hijack the authentication of users for requests that can cause cross-site scripting attacks, web cache poisoning, or other unspecified impacts via unknown vectors. | |||||
| CVE-2017-11350 | 1 Axesstel | 2 Mu553s, Mu553s Firmware | 2017-09-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) exists in cgi-bin/ConfigSet on Axesstel MU553S MU55XS-V1.14 devices. | |||||
| CVE-2016-8737 | 1 Apache | 1 Brooklyn | 2017-09-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability. | |||||
| CVE-2017-11567 | 1 Cesanta | 1 Mongoose Embedded Web Server Library | 2017-09-18 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely. | |||||
| CVE-2017-14267 | 1 Ee | 2 4gee Wifi Mbb, 4gee Wifi Mbb Firmware | 2017-09-15 | 6.8 MEDIUM | 8.8 HIGH |
| EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related to goform/AddNewProfile, goform/setWanDisconnect, goform/setSMSAutoRedirectSetting, goform/setReset, and goform/uploadBackupSettings. | |||||
| CVE-2015-4619 | 1 Denkgroot | 1 Spina | 2017-09-13 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Spina before commit bfe44f289e336f80b6593032679300c493735e75. | |||||
| CVE-2017-12838 | 1 Nexusphp Project | 1 Nexusphp | 2017-09-13 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows remote attackers to hijack the authentication of users for requests that (1) send manas via a request to mybonus.php or (2) add administrators via unspecified vectors. | |||||
| CVE-2014-9565 | 1 Ibm | 4 En6131, En6131 Firmware, Ib6131 and 1 more | 2017-09-12 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware 3.4.0000 and earlier. | |||||
| CVE-2015-4697 | 1 Sumo | 1 Google Analyticator | 2017-09-11 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Google Analyticator Wordpress Plugin before 6.4.9.3 rev @1183563. | |||||
| CVE-2016-2539 | 1 Atutor | 1 Atutor | 2017-09-08 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file. | |||||
| CVE-2017-1097 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2017-09-07 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 120657. | |||||
| CVE-2014-8900 | 1 Ibm | 1 Urbancode Deploy | 2017-09-03 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in IBM UrbanCode Release 6.0.1.6 and earlier, 6.1.0.7 and earlier, and 6.1.1.1 and earlier. | |||||
| CVE-2016-1607 | 1 Novell | 1 Filr | 2017-09-03 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settings via a vaconfig/time request. | |||||
| CVE-2016-3653 | 1 Symantec | 1 Endpoint Protection Manager | 2017-09-03 | 6.0 MEDIUM | 8.0 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to hijack the authentication of arbitrary users. | |||||
| CVE-2017-1442 | 1 Ibm | 1 Emptoris Services Procurement | 2017-09-02 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 128107. | |||||
| CVE-2017-5473 | 1 Ntop | 1 Ntopng | 2017-09-02 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua. | |||||
| CVE-2017-14048 | 1 Blackcat-cms | 1 Blackcat Cms | 2017-09-01 | 6.5 MEDIUM | 8.8 HIGH |
| BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary PHP code into info.php via a crafted new_modulename parameter to backend/addons/ajax_create.php. NOTE: this can be exploited via CSRF. | |||||
| CVE-2016-2082 | 1 Vmware | 1 Vrealize Log Insight | 2017-09-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.3.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2016-1448 | 1 Cisco | 1 Webex Meetings Server | 2017-09-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meetings Server 2.7 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuy92706. | |||||
| CVE-2017-12703 | 1 Westermo | 8 Mrd-305-din, Mrd-305-din Firmware, Mrd-315-din and 5 more | 2017-08-29 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. | |||||
| CVE-2017-12589 | 1 Tomaxcom | 4 R60g, R60g Firmware, R60gv2 and 1 more | 2017-08-26 | 6.8 MEDIUM | 8.8 HIGH |
| ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices do not have any protection against a CSRF attack. | |||||
| CVE-2017-12853 | 1 Rtsindia | 2 Rwr-3g-100, Rwr-3g-100 Firmware | 2017-08-25 | 6.8 MEDIUM | 8.8 HIGH |
| The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affected by CSRF an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. | |||||
| CVE-2017-6328 | 1 Symantec | 1 Message Gateway | 2017-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser. | |||||
| CVE-2017-12593 | 1 Asus | 2 Dsl-n10s Firmware, Dsl-n10s Router | 2017-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| ASUS DSL-N10S V2.1.16_APAC devices allow CSRF. | |||||
| CVE-2017-12881 | 1 Spring Batch Admin Project | 1 Spring Batch Admin | 2017-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability. | |||||
| CVE-2015-5081 | 1 Django-cms | 1 Django Cms | 2017-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors. | |||||