Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19376 | 1 Greencms | 1 Greencms | 2018-12-18 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to delete a log file via the index.php?m=admin&c=data&a=clear URI. | |||||
| CVE-2018-19561 | 1 Sikcms | 1 Sikcms | 2018-12-18 | 6.8 MEDIUM | 8.8 HIGH |
| sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account. | |||||
| CVE-2018-18760 | 1 Saltos | 1 Rhinos | 2018-12-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| RhinOS 3.0 build 1190 allows CSRF. | |||||
| CVE-2018-19318 | 1 Srcms Project | 1 Srcms | 2018-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account. | |||||
| CVE-2018-19319 | 1 Srcms Project | 1 Srcms | 2018-12-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges. | |||||
| CVE-2017-17550 | 1 Zyxel | 2 Zywall Usg 100, Zywall Usg 100 Firmware | 2018-12-13 | 6.8 MEDIUM | 8.8 HIGH |
| ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account's access could, for example, subsequently be used for stored XSS. | |||||
| CVE-2018-13398 | 1 Atlassian | 2 Crucible, Fisheye | 2018-12-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2014-2327 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-12-13 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. | |||||
| CVE-2018-19192 | 1 Xiaocms | 1 Xiaocms | 2018-12-13 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the data[content] parameter. | |||||
| CVE-2014-2390 | 1 Mcafee | 1 Network Security Manager | 2018-12-12 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the User Management module in McAfee Network Security Manager (NSM) before 6.1.15.39 7.1.5.x before 7.1.5.15, 7.1.15.x before 7.1.15.7, 7.5.x before 7.5.5.9, and 8.x before 8.1.7.3 allows remote attackers to hijack the authentication of users for requests that modify user accounts via unspecified vectors. | |||||
| CVE-2018-19104 | 1 Bagesoft | 1 Bagecms | 2018-12-11 | 6.8 MEDIUM | 8.8 HIGH |
| In BageCMS 3.1.3, upload/index.php has a CSRF vulnerability that can be used to upload arbitrary files and get server privileges. | |||||
| CVE-2018-19225 | 1 Laobancms | 1 Laobancms | 2018-12-11 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in LAOBANCMS 2.0. admin/mima.php has CSRF. | |||||
| CVE-2018-18934 | 1 Popojicms | 1 Popojicms | 2018-12-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF. | |||||
| CVE-2018-18935 | 1 Popojicms | 1 Popojicms | 2018-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account. | |||||
| CVE-2017-15296 | 1 Sap | 1 Customer Relationship Management | 2018-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. | |||||
| CVE-2018-16952 | 1 Oracle | 1 Webcenter Interaction | 2018-12-07 | 6.8 MEDIUM | 8.8 HIGH |
| The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-12370 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2018-12-06 | 6.8 MEDIUM | 8.8 HIGH |
| In Reader View SameSite cookie protections are not checked on exiting. This allows for a payload to be triggered when Reader View is exited if loaded by a malicious site while Reader mode is active, bypassing CSRF protections. This vulnerability affects Firefox < 61. | |||||
| CVE-2015-4630 | 1 Koha | 1 Koha | 2018-12-04 | 6.0 MEDIUM | 8.0 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl. | |||||
| CVE-2018-18420 | 1 Tribalsystems | 1 Zenario | 2018-12-04 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability was discovered in the 8.3 version of Zenario Content Management System via the admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent URI. | |||||
| CVE-2018-12364 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2018-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. | |||||
| CVE-2018-15539 | 1 Agentejo | 1 Cockpit | 2018-11-30 | 6.8 MEDIUM | 8.8 HIGH |
| Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords, etc. | |||||
| CVE-2018-18422 | 1 Usualtool | 1 Usualtoolcms | 2018-11-30 | 6.8 MEDIUM | 8.8 HIGH |
| UsualToolCMS 8.0 allows CSRF for adding a user account via the cmsadmin/a_adminx.php?x=a URI. | |||||
| CVE-2018-18432 | 1 Destoon | 1 Destoon B2b | 2018-11-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in DESTOON B2B 7.0. CSRF exists via the admin.php URI in an action=add request. | |||||
| CVE-2018-18773 | 1 Centos-webpanel | 1 Centos Web Panel | 2018-11-29 | 6.8 MEDIUM | 8.8 HIGH |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password. | |||||
| CVE-2018-18772 | 1 Centos-webpanel | 1 Centos Web Panel | 2018-11-29 | 6.8 MEDIUM | 8.8 HIGH |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command. | |||||
| CVE-2018-17103 | 1 Get-simple | 1 Getsimple Cms | 2018-11-28 | 6.8 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter. | |||||
| CVE-2018-12456 | 1 Intelbras | 2 Nplug, Nplug Firmware | 2018-11-28 | 6.8 MEDIUM | 8.8 HIGH |
| Intelbras NPLUG 1.0.0.14 wireless repeater devices have no CSRF token protection in the web interface, allowing attackers to perform actions such as changing the wireless SSID, rebooting the device, editing access control lists, or activating remote access. | |||||
| CVE-2018-17045 | 1 Cms Maelostore Project | 1 Cms Maelostore | 2018-11-28 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vulnerability that can change the administrator password via admin/modul/users/aksi_users.php?act=update. | |||||
| CVE-2018-17869 | 1 Dasan | 2 H660gw, H660gw Firmware | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| DASAN H660GW devices do not implement any CSRF protection mechanism. | |||||
| CVE-2018-17986 | 1 Razorcms | 1 Razorcms | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| rars/user/data in razorCMS 3.4.8 allows CSRF for changing the password of an admin user. | |||||
| CVE-2018-15702 | 1 Tp-link | 2 Tl-wrn841n, Tl-wrn841n Firmware | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to CSRF due to insufficient validation of the referer field. | |||||
| CVE-2018-18201 | 1 Qibosoft | 1 Qibosoft | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| qibosoft V7.0 allows CSRF via admin/index.php?lfj=member&action=addmember to add a user account. | |||||
| CVE-2018-18316 | 1 Emlog | 1 Emlog | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| emlog v6.0.0 has CSRF via the admin/user.php?action=new URI. | |||||
| CVE-2018-18317 | 1 Dscms Project | 1 Dscms | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.html URI. | |||||
| CVE-2018-5921 | 1 Hp | 387 A2w75a, A2w75a Firmware, A2w76a and 384 more | 2018-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| A potential security vulnerability has been identified with certain HP printers and MFPs in 2405129_000052 and other firmware versions. This vulnerability is known as Cross Site Request Forgery, and could potentially be exploited remotely to allow elevation of privilege. | |||||
| CVE-2010-3884 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-11-27 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2018-17858 | 1 Joomla | 1 Joomla\! | 2018-11-26 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend. | |||||
| CVE-2018-17081 | 1 E107 | 1 E107 | 2018-11-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page. | |||||
| CVE-2017-15608 | 1 Inedo | 1 Proget | 2018-11-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change advanced settings. | |||||
| CVE-2018-18191 | 1 Finecms | 1 Finecms | 2018-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password. | |||||
| CVE-2018-18215 | 1 Youke365 | 1 Youke 365 | 2018-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In youke365 v1.1.5, admin/user.html has a CSRF vulnerability that can add an user account. | |||||
| CVE-2018-17102 | 1 Quickappscms | 1 Quickapps Cms | 2018-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI. | |||||
| CVE-2018-17104 | 1 Microweber | 1 Microweber | 2018-11-20 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user. | |||||
| CVE-2018-18711 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-11-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's password via index.php?m=core&f=panel&v=edit_info. | |||||
| CVE-2018-18712 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-11-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's username via index.php?m=member&f=index&v=edit&uid=1. | |||||
| CVE-2018-17826 | 1 Hisiphp | 1 Hisiphp | 2018-11-16 | 6.8 MEDIUM | 8.8 HIGH |
| HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico). | |||||
| CVE-2018-17069 | 1 Unlcms | 1 Unlcms | 2018-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay. | |||||
| CVE-2018-17070 | 1 Unlcms | 1 Unlcms | 2018-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay. | |||||
| CVE-2018-18735 | 1 Catfish-cms | 1 Catfish Blog | 2018-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in admin/Index/tiquan in catfish blog 2.0.33. | |||||
| CVE-2018-18742 | 1 Sem-cms | 1 Semcms | 2018-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.php?Class=add&CF=user URI. | |||||