Search
Total
904 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10938 | 1 Copy-me Project | 1 Copy-me | 2019-09-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location. | |||||
| CVE-2019-10253 | 1 Teammatesolutions | 1 Teammate\+ | 2019-09-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request. | |||||
| CVE-2019-15128 | 1 If.svnadmin Project | 1 If.svnadmin | 2019-09-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| iF.SVNAdmin through 1.6.2 allows svnadmin/usercreate.php CSRF to create a user. | |||||
| CVE-2019-14999 | 1 Atlassian | 1 Universal Plugin Manager | 2019-08-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator. | |||||
| CVE-2019-15515 | 1 Discourse | 1 Discourse | 2019-08-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Discourse 2.3.2 sends the CSRF token in the query string. | |||||
| CVE-2019-8447 | 1 Atlassian | 1 Jira | 2019-08-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-10057 | 1 Lexmark | 50 Cs31x, Cs31x Firmware, Cs41x and 47 more | 2019-08-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Various Lexmark products have CSRF. | |||||
| CVE-2014-10382 | 1 Pippinsplugins | 1 Featured Comments | 2019-08-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment. | |||||
| CVE-2019-11587 | 1 Atlassian | 1 Jira | 2019-08-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF). | |||||
| CVE-2019-11586 | 1 Atlassian | 1 Jira | 2019-08-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-11588 | 1 Atlassian | 1 Jira | 2019-08-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-14682 | 1 Acf\ | 1 Better Search Project | 2019-08-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF. | |||||
| CVE-2015-9332 | 1 Wordpress Uninstall Project | 1 Wordpress Uninstall | 2019-08-22 | 5.8 MEDIUM | 6.5 MEDIUM |
| The uninstall plugin before 1.2 for WordPress has CSRF to delete all tables via the wp-admin/admin-ajax.php?action=uninstall URI. | |||||
| CVE-2019-14683 | 1 Codection | 1 Import Users From Csv With Meta | 2019-08-22 | 4.9 MEDIUM | 5.7 MEDIUM |
| The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF. | |||||
| CVE-2019-14680 | 1 Mijnpress | 1 Admin-renamer-extended | 2019-08-21 | 3.5 LOW | 5.7 MEDIUM |
| The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF. | |||||
| CVE-2016-10883 | 1 Mijnpress | 1 Simple Add Pages Or Posts | 2019-08-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users. | |||||
| CVE-2019-14679 | 1 Reputeinfosystems | 1 Arprice Lite | 2019-08-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF. | |||||
| CVE-2017-18485 | 1 Elementalpath | 2 Cognitoys Dino, Cognitoys Dino Firmware | 2019-08-15 | 5.8 MEDIUM | 5.4 MEDIUM |
| Cognitoys Dino devices allow profiles_add.html CSRF. | |||||
| CVE-2016-10865 | 1 23systems | 1 Lightbox Plus Colorbox | 2019-08-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS. | |||||
| CVE-2019-7947 | 1 Magento | 1 Magento | 2019-08-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2019-7874 | 1 Magento | 1 Magento | 2019-08-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles. | |||||
| CVE-2019-7873 | 1 Magento | 1 Magento | 2019-08-07 | 5.8 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule. | |||||
| CVE-2019-7851 | 1 Magento | 1 Magento | 2019-08-06 | 5.8 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages. | |||||
| CVE-2019-7857 | 1 Magento | 1 Magento | 2019-08-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation. | |||||
| CVE-2019-14327 | 1 Custom Simple Rss Project | 1 Custom Simple Rss | 2019-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings. | |||||
| CVE-2019-7953 | 1 Adobe | 1 Experience Manager | 2019-07-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| Adobe Experience Manager version 6.4 and ealier have a Cross-Site Request Forgery vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user. | |||||
| CVE-2019-12923 | 1 Mailenable | 1 Mailenable | 2019-07-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker. | |||||
| CVE-2019-0996 | 1 Microsoft | 1 Azure Devops Server | 2019-07-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery, aka 'Azure DevOps Server Spoofing Vulnerability'. | |||||
| CVE-2018-13810 | 1 Siemens | 4 Cp 1604, Cp 1604 Firmware, Cp 1616 and 1 more | 2019-07-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known. | |||||
| CVE-2019-12616 | 1 Phpmyadmin | 1 Phpmyadmin | 2019-06-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. | |||||
| CVE-2019-10331 | 1 Jenkins | 1 Electricflow | 2019-06-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2019-11517 | 1 Wampserver | 1 Wampserver | 2019-06-11 | 5.8 MEDIUM | 6.5 MEDIUM |
| WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner. | |||||
| CVE-2019-10321 | 1 Jfrog | 1 Artifactory | 2019-06-05 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-10324 | 1 Jfrog | 1 Artifactory | 2019-06-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively. | |||||
| CVE-2019-10326 | 1 Jenkins | 1 Warnings Next Generation | 2019-06-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds. | |||||
| CVE-2018-19613 | 1 Westermo | 6 Dr-250, Dr-250 Firmware, Dr-260 and 3 more | 2019-05-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers allow CSRF. | |||||
| CVE-2019-12253 | 1 Mylittleforum | 1 My Little Forum | 2019-05-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting. | |||||
| CVE-2018-14711 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2019-05-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. | |||||
| CVE-2017-14956 | 1 Alienvault | 1 Unified Security Management | 2019-05-13 | 3.5 LOW | 5.7 MEDIUM |
| AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local download, the script also offers the possibility to send out any report via email to a given address (either in PDF or XLS format). Since there is no anti-CSRF token protecting this functionality, it is vulnerable to Cross-Site Request Forgery attacks. | |||||
| CVE-2017-12790 | 1 Metinfo | 1 Metinfo | 2019-05-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state. | |||||
| CVE-2019-10307 | 1 Jenkins | 1 Static Analysis Utilities | 2019-05-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. | |||||
| CVE-2019-11375 | 1 Meisivod | 1 Msvod | 2019-04-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI. | |||||
| CVE-2019-1003010 | 2 Jenkins, Redhat | 2 Git, Openshift Container Platform | 2019-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. | |||||
| CVE-2018-17168 | 1 Printeron | 1 Printeron | 2019-04-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc). | |||||
| CVE-2019-9176 | 1 Gitlab | 1 Gitlab | 2019-04-17 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF. | |||||
| CVE-2018-19291 | 1 Dilicms | 1 Dilicms | 2019-04-16 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI. | |||||
| CVE-2019-6607 | 1 F5 | 1 Big-ip Application Security Manager | 2019-04-05 | 6.0 MEDIUM | 6.8 MEDIUM |
| On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. | |||||
| CVE-2019-7440 | 1 Jio | 2 Jiofi 4g M2s, Jiofi 4g M2s Firmware | 2019-04-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings (aka a SetWiFi_Setting request to cgi-bin/qcmap_web_cgi). | |||||
| CVE-2018-17996 | 1 Layerbb | 1 Layerbb | 2019-03-22 | 5.8 MEDIUM | 6.5 MEDIUM |
| LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/. | |||||
| CVE-2017-6819 | 1 Wordpress | 1 Wordpress | 2019-03-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. | |||||