Search
Total
904 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19663 | 1 Maxum | 1 Rumpus | 2020-02-10 | 5.8 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. | |||||
| CVE-2019-20401 | 1 Atlassian | 1 Jira | 2020-02-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities. | |||||
| CVE-2020-8425 | 1 Cups Easy \(purchase \& Inventory\) Project | 1 Cups Easy \(purchase \& Inventory\) | 2020-02-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php. | |||||
| CVE-2020-7210 | 1 Umbraco | 1 Umbraco Cms | 2020-02-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. | |||||
| CVE-2020-8505 | 1 Arox | 1 School Management Software Php\/mysql | 2020-02-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user. | |||||
| CVE-2020-8504 | 1 Arox | 1 School Management Software Php\/mysql | 2020-02-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user. | |||||
| CVE-2013-4865 | 1 Micasaverde | 2 Veralite, Veralite Firmware | 2020-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter. | |||||
| CVE-2014-2050 | 1 Owncloud | 1 Owncloud | 2020-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header. | |||||
| CVE-2020-5502 | 1 Phpbb | 1 Phpbb | 2020-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships. | |||||
| CVE-2020-5501 | 1 Phpbb | 1 Phpbb | 2020-01-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. | |||||
| CVE-2014-9382 | 1 Free | 1 Freebox Os | 2020-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation | |||||
| CVE-2018-18246 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. | |||||
| CVE-2019-19833 | 1 Tautulli | 1 Tautulli | 2020-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area). | |||||
| CVE-2019-16752 | 3 Dash, Officialdapscoin, Pivx | 3 Dash Core, Decentralized Anonymous Payment System, Private Instant Verified Transactions | 2020-01-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. This is a serious threat to user privacy, since it can possibly leak their IP address and the fact that they are using the product. This also affects Dash Core through 0.14.0.3 and Private Instant Verified Transactions (PIVX) through 3.4.0. | |||||
| CVE-2014-5516 | 1 Konakart | 1 Konakart | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in the Storefront Application in DS Data Systems KonaKart before 7.3.0.0 allows remote attackers to hijack the authentication of administrators for requests that change a user email address via an unspecified GET request. | |||||
| CVE-2011-5250 | 1 Prophecyinternational | 1 Snare | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Snare for Linux before 1.7.0 has CSRF in the web interface. | |||||
| CVE-2014-3590 | 1 Redhat | 1 Satellite | 2020-01-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Versions of Foreman as shipped with Red Hat Satellite 6 does not check for a correct CSRF token in the logout action. Therefore, an attacker can log out a user by having them view specially crafted content. | |||||
| CVE-2019-20178 | 1 Peel | 1 Peel Shopping | 2020-01-14 | 5.8 MEDIUM | 6.5 MEDIUM |
| Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user. | |||||
| CVE-2019-20077 | 1 Typesettercms | 1 Typesetter | 2020-01-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. | |||||
| CVE-2013-0196 | 1 Redhat | 2 Enterprise Linux, Openshift | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using 'Basic authentication' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. | |||||
| CVE-2015-5595 | 1 Zenphoto | 1 Zenphoto | 2020-01-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption). | |||||
| CVE-2013-4665 | 1 Spbas | 1 Business Automation Software | 2020-01-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| SPBAS Business Automation Software 2012 has CSRF. | |||||
| CVE-2019-4231 | 1 Ibm | 1 Cognos Analytics | 2020-01-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159356. | |||||
| CVE-2019-20071 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 5.8 MEDIUM | 6.5 MEDIUM |
| On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs. | |||||
| CVE-2019-16569 | 1 Jenkins | 1 Mantis | 2019-12-31 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials. | |||||
| CVE-2017-18107 | 1 Atlassian | 1 Crowd | 2019-12-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default. | |||||
| CVE-2019-4736 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2019-12-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Financial Transaction Manager 3.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172706. | |||||
| CVE-2019-4095 | 1 Ibm | 1 Cloud Pak System | 2019-12-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015. | |||||
| CVE-2014-0026 | 1 Redhat | 1 Subscription Asset Manager | 2019-12-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| katello-headpin is vulnerable to CSRF in REST API | |||||
| CVE-2019-19516 | 1 Intelbras | 2 Wrn 150, Wrn 150 Firmware | 2019-12-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Intelbras WRN 150 1.0.18 devices allow CSRF via GO=system_password.asp to the goform/SysToolChangePwd URI to change a password. | |||||
| CVE-2011-3609 | 1 Redhat | 1 Jboss Application Server | 2019-12-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. | |||||
| CVE-2019-16002 | 1 Cisco | 1 Sd-wan Firmware | 2019-12-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected instance of vManage. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2019-18651 | 1 3xlogic | 2 Infinias Access Control, Infinias Access Control Firmware | 2019-11-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document or encoded URL to a user that the website trusts. The user needs to have an active privileged session. | |||||
| CVE-2013-3516 | 1 Netgear | 4 Wnr3500l, Wnr3500l Firmware, Wnr3500u and 1 more | 2019-11-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely on router's current date and time, which allows attackers to guess the CSRF tokens. | |||||
| CVE-2012-4385 | 2 Debian, Trilexnet | 2 Debian Linux, Letodms | 2019-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| letodms 3.3.6 has CSRF via change password | |||||
| CVE-2014-3655 | 1 Redhat | 2 Jboss Enterprise Web Server, Keycloak | 2019-11-14 | 4.3 MEDIUM | 4.3 MEDIUM |
| JBoss KeyCloak is vulnerable to soft token deletion via CSRF | |||||
| CVE-2013-6275 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2019-11-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php. | |||||
| CVE-2019-13497 | 1 Oneidentity | 1 Cloud Access Manager | 2019-11-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. | |||||
| CVE-2019-9597 | 1 Darktrace | 1 Enterprise Immune System | 2019-10-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Darktrace Enterprise Immune System before 3.1 allows CSRF via the /config endpoint. | |||||
| CVE-2019-9596 | 1 Darktrace | 1 Enterprise Immune System | 2019-10-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint. | |||||
| CVE-2019-8234 | 1 Adobe | 1 Experience Manager | 2019-10-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a cross-site request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2019-10441 | 1 Jenkins | 1 Icescrum | 2019-10-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10454 | 1 Jenkins | 1 Rundeck | 2019-10-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-10456 | 1 Jenkins | 1 Oracle Cloud Infrastructure Compute Classic | 2019-10-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-17521 | 1 Landing-cms Project | 1 Landing-cms | 2019-10-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Landing-CMS 0.0.6. There is a CSRF vulnerability that can change the admin's password via the password/ URI, | |||||
| CVE-2019-17369 | 1 Otcms | 1 Otcms | 2019-10-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin. | |||||
| CVE-2019-4167 | 1 Ibm | 1 Storediq | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM StoredIQ 7.6.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158700. | |||||
| CVE-2019-4515 | 1 Ibm | 1 Security Key Lifecycle Manager | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 165137. | |||||
| CVE-2019-1915 | 1 Cisco | 3 Unified Communications Manager, Unified Communications Manager Im And Presence Service, Unity Connection | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user. | |||||
| CVE-2019-1722 | 1 Cisco | 2 Expressway Series, Telepresence Video Communication Server | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the FindMe feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. The arbitrary actions include adding an attacker-controlled device and redirecting calls intended for a specific user. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. This vulnerability is fixed in software version X12.5.1 and later. | |||||