Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8504 | 1 Arox | 1 School Management Software Php\/mysql | 2020-02-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user. | |||||
| CVE-2019-3864 | 1 Redhat | 1 Quay | 2020-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account. | |||||
| CVE-2013-7053 | 1 D-link | 2 Dir-100, Dir-100 Firmware | 2020-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| D-Link DIR-100 4.03B07: cli.cgi CSRF | |||||
| CVE-2013-4865 | 1 Micasaverde | 2 Veralite, Veralite Firmware | 2020-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter. | |||||
| CVE-2013-4240 | 1 Hitmyserver | 1 Hms Testimonials | 2020-02-03 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add new testimonials via the hms-testimonials-addnew page, (2) add new groups via the hms-testimonials-addnewgroup page, (3) change default settings via the hms-testimonials-settings page, (4) change advanced settings via the hms-testimonials-settings-advanced page, (5) change custom fields settings via the hms-testimonials-settings-fields page, or (6) change template settings via the hms-testimonials-templates-new page to wp-admin/admin.php. | |||||
| CVE-2020-7965 | 1 Webargs Project | 1 Webargs | 2020-02-03 | 6.8 MEDIUM | 8.8 HIGH |
| flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. | |||||
| CVE-2015-5483 | 1 Private Only Project | 1 Private Only | 2020-01-31 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete posts, or (3) modify PHP files via unspecified vectors, or (4) conduct cross-site scripting (XSS) attacks via the po_logo parameter in the privateonly.php page to wp-admin/options-general.php. | |||||
| CVE-2013-3093 | 1 Asus | 14 Dsl-n55u, Dsl-n55u Firmware, Rt-ac66u and 11 more | 2020-01-31 | 9.3 HIGH | 8.8 HIGH |
| ASUS RT-N56U devices allow CSRF. | |||||
| CVE-2014-5280 | 1 Boot2docker | 1 Boot2docker | 2020-01-30 | 9.3 HIGH | 8.8 HIGH |
| boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication. | |||||
| CVE-2014-2050 | 1 Owncloud | 1 Owncloud | 2020-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header. | |||||
| CVE-2018-12415 | 1 Tibco | 1 Enterprise Message Service | 2020-01-29 | 6.8 MEDIUM | 8.8 HIGH |
| The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Message Service: versions 8.4.0 and below, TIBCO Enterprise Message Service - Community Edition: versions 8.4.0 and below, and TIBCO Enterprise Message Service - Developer Edition: versions 8.4.0 and below. | |||||
| CVE-2020-7991 | 1 Adive | 1 Framework | 2020-01-28 | 6.8 MEDIUM | 8.8 HIGH |
| Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password. | |||||
| CVE-2012-2713 | 2 Browserid Project, Drupal | 2 Browserid, Drupal | 2020-01-27 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site. | |||||
| CVE-2011-3582 | 1 Anelectron | 1 Advanced Electron Forums | 2020-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions. | |||||
| CVE-2011-3612 | 1 Usebb | 1 Usebb | 2020-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12. | |||||
| CVE-2019-16513 | 1 Connectwise | 1 Control | 2020-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests. | |||||
| CVE-2019-18271 | 1 Osisoft | 1 Pi Vision | 2020-01-23 | 6.8 MEDIUM | 8.8 HIGH |
| OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site. | |||||
| CVE-2016-4879 | 1 Basercms | 2 Basercms, Mail | 2020-01-23 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2020-5502 | 1 Phpbb | 1 Phpbb | 2020-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships. | |||||
| CVE-2020-5501 | 1 Phpbb | 1 Phpbb | 2020-01-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. | |||||
| CVE-2014-9382 | 1 Free | 1 Freebox Os | 2020-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation | |||||
| CVE-2020-2098 | 1 Jenkins | 1 Sounds | 2020-01-22 | 9.3 HIGH | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins. | |||||
| CVE-2020-2093 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2020-01-22 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient. | |||||
| CVE-2019-6320 | 1 Hp | 16 Deskjet 3630 F5s43a, Deskjet 3630 F5s43a Firmware, Deskjet 3630 F5s57a and 13 more | 2020-01-22 | 5.8 MEDIUM | 8.1 HIGH |
| Certain HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF) vulnerability that could lead to a denial of service (DOS) or device misconfiguration. | |||||
| CVE-2019-6319 | 1 Hp | 16 Deskjet 3630 F5s43a, Deskjet 3630 F5s43a Firmware, Deskjet 3630 F5s57a and 13 more | 2020-01-22 | 5.8 MEDIUM | 8.1 HIGH |
| HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF) vulnerability that could lead to a denial of service (DOS) or device misconfiguration. | |||||
| CVE-2019-19854 | 1 Serpico Project | 1 Serpico | 2020-01-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conjunction with XSS: one can escalate privileges from User level to Administrator. | |||||
| CVE-2020-2090 | 1 Jenkins | 1 Amazon Ec2 | 2020-01-17 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | |||||
| CVE-2011-2934 | 1 Websitebaker | 1 Websitebaker | 2020-01-17 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions. | |||||
| CVE-2018-6504 | 1 Microfocus | 1 Arcsight Management Center | 2020-01-17 | 6.8 MEDIUM | 8.8 HIGH |
| A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF). | |||||
| CVE-2018-18246 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. | |||||
| CVE-2019-19833 | 1 Tautulli | 1 Tautulli | 2020-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area). | |||||
| CVE-2019-16752 | 3 Dash, Officialdapscoin, Pivx | 3 Dash Core, Decentralized Anonymous Payment System, Private Instant Verified Transactions | 2020-01-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. This is a serious threat to user privacy, since it can possibly leak their IP address and the fact that they are using the product. This also affects Dash Core through 0.14.0.3 and Private Instant Verified Transactions (PIVX) through 3.4.0. | |||||
| CVE-2014-5516 | 1 Konakart | 1 Konakart | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in the Storefront Application in DS Data Systems KonaKart before 7.3.0.0 allows remote attackers to hijack the authentication of administrators for requests that change a user email address via an unspecified GET request. | |||||
| CVE-2011-5250 | 1 Prophecyinternational | 1 Snare | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Snare for Linux before 1.7.0 has CSRF in the web interface. | |||||
| CVE-2019-19995 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2020-01-15 | 9.3 HIGH | 8.8 HIGH |
| A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user. | |||||
| CVE-2014-3590 | 1 Redhat | 1 Satellite | 2020-01-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Versions of Foreman as shipped with Red Hat Satellite 6 does not check for a correct CSRF token in the logout action. Therefore, an attacker can log out a user by having them view specially crafted content. | |||||
| CVE-2019-20178 | 1 Peel | 1 Peel Shopping | 2020-01-14 | 5.8 MEDIUM | 6.5 MEDIUM |
| Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user. | |||||
| CVE-2020-6167 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2020-01-10 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo. | |||||
| CVE-2019-20077 | 1 Typesettercms | 1 Typesetter | 2020-01-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. | |||||
| CVE-2013-0196 | 1 Redhat | 2 Enterprise Linux, Openshift | 2020-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using 'Basic authentication' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. | |||||
| CVE-2019-16326 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2020-01-08 | 6.8 MEDIUM | 8.8 HIGH |
| D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token is implemented. A remote attacker could exploit this in conjunction with CVE-2019-16327 to enable remote router management and device compromise. NOTE: this is an end-of-life product. | |||||
| CVE-2019-19737 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks. | |||||
| CVE-2016-10766 | 1 Edx | 1 Edx-platform | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| edx-platform before 2016-06-06 allows CSRF. | |||||
| CVE-2015-5595 | 1 Zenphoto | 1 Zenphoto | 2020-01-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption). | |||||
| CVE-2014-3136 | 1 Dlink | 2 Dwr-113, Dwr-113 Firmware | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev. Ax) with firmware before 2.03b02 allows remote attackers to hijack the authentication of administrators for requests that change the admin password via unspecified vectors. | |||||
| CVE-2013-3935 | 1 Opsview | 2 Opsview, Opsview Core | 2020-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors. | |||||
| CVE-2019-6027 | 1 Wpspellcheck | 1 Wpspellcheck | 2020-01-06 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in WP Spell Check 7.1.9 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2013-4665 | 1 Spbas | 1 Business Automation Software | 2020-01-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| SPBAS Business Automation Software 2012 has CSRF. | |||||
| CVE-2019-16553 | 1 Jenkins | 1 Build Failure Analyzer | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression. | |||||
| CVE-2019-16551 | 1 Jenkins | 1 Gerrit Trigger | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials. | |||||