Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16560 | 1 Jenkins | 1 Websphere Deployer | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. | |||||
| CVE-2019-6030 | 1 Custom Body Class Project | 1 Custom Body Class | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Custom Body Class 0.6.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2019-16550 | 1 Jenkins | 1 Maven | 2020-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents. | |||||
| CVE-2019-4231 | 1 Ibm | 1 Cognos Analytics | 2020-01-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159356. | |||||
| CVE-2019-20071 | 1 Netis-systems | 2 Dl4343, Dl4343 Firmware | 2020-01-02 | 5.8 MEDIUM | 6.5 MEDIUM |
| On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs. | |||||
| CVE-2019-16569 | 1 Jenkins | 1 Mantis | 2019-12-31 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials. | |||||
| CVE-2017-18107 | 1 Atlassian | 1 Crowd | 2019-12-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default. | |||||
| CVE-2018-1934 | 1 Ibm | 1 Cognos Business Intelligence | 2019-12-27 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cognos Business Intelligence 10.2.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 153179. | |||||
| CVE-2019-17633 | 1 Eclipse | 1 Che | 2019-12-27 | 6.8 MEDIUM | 8.8 HIGH |
| For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local installations (e.g. on personal laptops). In that case, even if the Che API is not exposed externally, some javascript running in the local browser is able to send requests to it. | |||||
| CVE-2019-19832 | 1 Xerox | 2 Altalink C8035, Altalink C8035 Firmware | 2019-12-23 | 6.8 MEDIUM | 8.8 HIGH |
| Xerox AltaLink C8035 printers allow CSRF. A request to add users is made in the Device User Database form field to the xerox.set URI. (The frmUserName value must have a unique name.) | |||||
| CVE-2019-4736 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2019-12-23 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Financial Transaction Manager 3.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172706. | |||||
| CVE-2019-13930 | 1 Siemens | 1 Xhq | 2019-12-19 | 5.8 MEDIUM | 8.1 HIGH |
| A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-16575 | 1 Jenkins | 1 Alauda Kubernetes Support | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins. | |||||
| CVE-2019-11657 | 1 Microfocus | 1 Arcsight Logger | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery vulnerability in all Micro Focus ArcSight Logger affecting all product versions below version 7.0. The vulnerability could be exploited to perform CSRF attack. | |||||
| CVE-2019-16573 | 1 Jenkins | 1 Alauda Devops Pipeline | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2014-0197 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| CFME: CSRF protection vulnerability via permissive check of the referrer header | |||||
| CVE-2019-16565 | 1 Jenkins | 1 Team Concert | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2019-16570 | 1 Jenkins | 1 Rapiddeploy | 2019-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server. | |||||
| CVE-2019-0398 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2019-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery. | |||||
| CVE-2015-7537 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2019-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method. | |||||
| CVE-2015-5318 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2019-12-17 | 6.8 MEDIUM | N/A |
| Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack. | |||||
| CVE-2019-19685 | 1 Nopcommerce | 1 Nopcommerce | 2019-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions. | |||||
| CVE-2019-18346 | 1 Davical | 1 Davical | 2019-12-14 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user. | |||||
| CVE-2019-4095 | 1 Ibm | 1 Cloud Pak System | 2019-12-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015. | |||||
| CVE-2014-0026 | 1 Redhat | 1 Subscription Asset Manager | 2019-12-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| katello-headpin is vulnerable to CSRF in REST API | |||||
| CVE-2019-15934 | 1 Intesync | 1 Solismed | 2019-12-13 | 6.8 MEDIUM | 8.8 HIGH |
| Intesync Solismed 3.3sp has CSRF. | |||||
| CVE-2019-19516 | 1 Intelbras | 2 Wrn 150, Wrn 150 Firmware | 2019-12-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Intelbras WRN 150 1.0.18 devices allow CSRF via GO=system_password.asp to the goform/SysToolChangePwd URI to change a password. | |||||
| CVE-2016-8673 | 1 Siemens | 8 Simatic Cp 343-1, Simatic Cp 343-1 Firmware, Simatic Cp 443-1 and 5 more | 2019-12-12 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.0.53), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.2.17), SIMATIC S7-300 PN/DP CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants) (All versions). The integrated web server at port 80/TCP or port 443/TCP of the affected devices could allow remote attackers to perform actions with the permissions of an authenticated user, provided the targeted user has an active session and is induced to trigger the malicious request. | |||||
| CVE-2012-2079 | 1 Drupal | 1 Activity | 2019-12-11 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal. | |||||
| CVE-2011-3609 | 1 Redhat | 1 Jboss Application Server | 2019-12-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. | |||||
| CVE-2009-1802 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2019-12-10 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote attackers to hijack the authentication of admins for requests that create a new admin account or have unspecified other impact. | |||||
| CVE-2019-16002 | 1 Cisco | 1 Sd-wan Firmware | 2019-12-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected instance of vManage. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2015-3140 | 1 Synametrics | 3 Synaman, Syncrify, Syntail | 2019-12-04 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567 | |||||
| CVE-2013-6811 | 1 D-link | 2 Dsl6740u, Dsl6740u Firmware | 2019-12-04 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding, (2) Port Triggering Entries, (3) URL Filters in Parental Control, (4) Print Server settings, (5) QoS Queue Setup, or (6) QoS Classification Entries. | |||||
| CVE-2018-10503 | 1 Baijiacms Project | 1 Baijiacms | 2019-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser. | |||||
| CVE-2013-3312 | 1 Loftek | 2 Nexus 543, Nexus 543 Firmware | 2019-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewall configuration, as demonstrated by a request to set_users.cgi. | |||||
| CVE-2019-19013 | 1 Pagekit | 1 Pagekit | 2019-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request. | |||||
| CVE-2019-16548 | 1 Jenkins | 1 Google Compute Engine | 2019-11-22 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents. | |||||
| CVE-2011-4952 | 1 Cobblerd | 1 Cobbler | 2019-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| cobbler: Web interface lacks CSRF protection when using Django framework | |||||
| CVE-2019-16993 | 2 Debian, Phpbb | 2 Debian Linux, Phpbb | 2019-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them. | |||||
| CVE-2019-18651 | 1 3xlogic | 2 Infinias Access Control, Infinias Access Control Firmware | 2019-11-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document or encoded URL to a user that the website trusts. The user needs to have an active privileged session. | |||||
| CVE-2019-18884 | 1 Fairsketch | 1 Rise - Ultimate Project Manager | 2019-11-19 | 6.8 MEDIUM | 8.8 HIGH |
| index.php/team_members/add_team_member in RISE Ultimate Project Manager 2.3 has CSRF for adding authorized users. | |||||
| CVE-2013-3516 | 1 Netgear | 4 Wnr3500l, Wnr3500l Firmware, Wnr3500u and 1 more | 2019-11-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely on router's current date and time, which allows attackers to guess the CSRF tokens. | |||||
| CVE-2019-17600 | 1 Intelbras | 2 Iwr 1000n, Iwr 1000n Firmware | 2019-11-16 | 10.0 HIGH | 9.8 CRITICAL |
| Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled. | |||||
| CVE-2012-4385 | 2 Debian, Trilexnet | 2 Debian Linux, Letodms | 2019-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| letodms 3.3.6 has CSRF via change password | |||||
| CVE-2014-3655 | 1 Redhat | 2 Jboss Enterprise Web Server, Keycloak | 2019-11-14 | 4.3 MEDIUM | 4.3 MEDIUM |
| JBoss KeyCloak is vulnerable to soft token deletion via CSRF | |||||
| CVE-2010-3305 | 1 Pixelpost | 1 Pixelpost | 2019-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in pixelpost 1.7.3 could allow remote attackers to change the admin password. | |||||
| CVE-2013-6364 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2019-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book | |||||
| CVE-2019-7273 | 1 Optergy | 2 Enterprise, Proton | 2019-11-12 | 6.8 MEDIUM | 8.8 HIGH |
| Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF). | |||||
| CVE-2019-7262 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2019-11-12 | 6.8 MEDIUM | 8.8 HIGH |
| Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF). | |||||