Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7634 | 1 Enalean | 1 Tuleap | 2018-03-22 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover. | |||||
| CVE-2014-2838 | 1 Dev4press | 1 Gd Star Rating | 2018-03-20 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the GD Star Rating plugin 19.22 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct (1) SQL injection attacks via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php or (2) cross-site scripting (XSS) attacks via unspecified vectors. | |||||
| CVE-2017-12415 | 1 Oxid-esales | 1 Eshop | 2018-03-16 | 5.1 MEDIUM | 7.5 HIGH |
| OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order. | |||||
| CVE-2016-0295 | 1 Ibm | 1 Bigfix Platform | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363. | |||||
| CVE-2018-7590 | 1 Hoosk | 1 Hoosk | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation. | |||||
| CVE-2018-0520 | 1 Fsi | 2 Fs010w, Fs010w Firmware | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2018-7308 | 1 Hosting Project | 1 Hosting | 2018-03-16 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. | |||||
| CVE-2018-7216 | 1 Tejari | 1 Bravo Solution | 2018-03-16 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens. | |||||
| CVE-2018-7219 | 1 5none | 1 Nonecms | 2018-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request. | |||||
| CVE-2018-7176 | 1 Frontaccounting | 1 Frontaccounting | 2018-03-14 | 6.8 MEDIUM | 8.8 HIGH |
| FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page). | |||||
| CVE-2018-6941 | 1 Nat32 | 1 Nat32 | 2018-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS. | |||||
| CVE-2018-6656 | 1 Zblogcn | 1 Z-blogphp | 2018-03-13 | 5.8 MEDIUM | 6.5 MEDIUM |
| Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories. | |||||
| CVE-2017-17552 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2018-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | |||||
| CVE-2017-5796 | 1 Hp | 10 J9623a, J9623a Firmware, J9624a and 7 more | 2018-03-12 | 9.3 HIGH | 8.8 HIGH |
| A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found. | |||||
| CVE-2015-2248 | 1 Sonicwall | 1 Remote Access Firmware | 2018-03-12 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for requests that create bookmarks via a crafted request to cgi-bin/editBookmark. | |||||
| CVE-2017-16756 | 1 Userscape | 1 Helpspot | 2018-03-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint. This allows an attacker to change the password of another user's HelpSpot account. | |||||
| CVE-2016-0348 | 1 Ibm | 1 Tririga Application Platform | 2018-03-09 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813. | |||||
| CVE-2018-1000053 | 1 Limesurvey | 1 Limesurvey | 2018-03-08 | 6.8 MEDIUM | 8.8 HIGH |
| LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. | |||||
| CVE-2016-8513 | 1 Hp | 1 Version Control Repository Manager | 2018-03-07 | 6.0 MEDIUM | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in HPE Version Control Repository Manager (VCRM) was found. The problem impacts all versions prior to 7.6. | |||||
| CVE-2018-6888 | 1 Typesettercms | 1 Typesetter | 2018-03-06 | 6.0 MEDIUM | 8.0 HIGH |
| An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token. | |||||
| CVE-2017-5781 | 1 Hp | 1 Matrix Operating Environment | 2018-03-05 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. | |||||
| CVE-2018-6288 | 1 Kaspersky | 1 Secure Mail Gateway | 2018-03-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1. | |||||
| CVE-2018-6467 | 1 Flickrrss Project | 1 Flickrrss | 2018-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php. | |||||
| CVE-2014-9502 | 1 Open Atrium Project | 1 Open Atrium | 2018-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks. | |||||
| CVE-2017-4951 | 1 Vmware | 1 Airwatch | 2018-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices. | |||||
| CVE-2018-6408 | 1 Conceptronic | 3 Cipcamptiwl, Cipcamptiwl Firmware, Cipcamptiwl Web Firmware | 2018-02-27 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account. | |||||
| CVE-2015-4179 | 1 Codestyling Localization Project | 1 Codestyling Localization | 2018-02-26 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress. | |||||
| CVE-2017-9414 | 1 Subsonic | 1 Subsonic | 2018-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view. | |||||
| CVE-2018-5720 | 1 Dodocool | 2 Dc38, Dc38 Firmware | 2018-02-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc. | |||||
| CVE-2016-4319 | 1 Atlassian | 1 Jira | 2018-02-16 | 6.8 MEDIUM | 8.8 HIGH |
| Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. | |||||
| CVE-2018-6007 | 1 Joomsky | 1 Js Support Ticket | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket. | |||||
| CVE-2017-1000356 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | |||||
| CVE-2016-7034 | 1 Redhat | 1 Jboss Bpm Suite | 2018-02-15 | 6.8 MEDIUM | 8.8 HIGH |
| The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. | |||||
| CVE-2018-6391 | 1 Netis-systems | 2 Wf2419, Wf2419 Firmware | 2018-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings. | |||||
| CVE-2018-0509 | 1 Kkcald Project | 1 Kkcald | 2018-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2017-18080 | 1 Atlassian | 1 Bamboo | 2018-02-13 | 6.8 MEDIUM | 8.8 HIGH |
| The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2018-5976 | 1 Rsvp Invitation Online Project | 1 Rsvp Invitation Online | 2018-02-12 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password. | |||||
| CVE-2018-5969 | 1 Photography Cms Project | 1 Photography Cms | 2018-02-12 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account. | |||||
| CVE-2018-6009 | 1 Yiiframework | 1 Yiiframework | 2018-02-09 | 6.8 MEDIUM | 8.8 HIGH |
| In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | |||||
| CVE-2017-1769 | 1 Ibm | 1 Business Process Manager | 2018-02-08 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Business Process Manager 8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 136783. | |||||
| CVE-2018-1000014 | 1 Jenkins | 1 Translation Assistance | 2018-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. | |||||
| CVE-2018-1000013 | 1 Jenkins | 1 Release | 2018-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. | |||||
| CVE-2018-5329 | 1 Beims | 1 Contractorweb.net | 2018-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. | |||||
| CVE-2017-18033 | 1 Atlassian | 1 Jira | 2018-02-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities. | |||||
| CVE-2018-5301 | 1 Magento | 1 Magento | 2018-02-02 | 5.8 MEDIUM | 6.5 MEDIUM |
| Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433. | |||||
| CVE-2017-16886 | 1 Fiberhome | 2 Lm53q1, Lm53q1 Firmware | 2018-02-02 | 6.8 MEDIUM | 8.8 HIGH |
| The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services via CSRF can result in an unauthorized change of username or password of the administrator of the portal. | |||||
| CVE-2018-0785 | 1 Microsoft | 1 Asp.net Core | 2018-02-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability". | |||||
| CVE-2017-16862 | 1 Atlassian | 1 Jira | 2018-01-31 | 4.3 MEDIUM | 4.3 MEDIUM |
| The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2012-0699 | 1 Haudenschilt | 1 Family Connections Cms | 2018-01-31 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an add action to prayers.php. | |||||
| CVE-2017-5264 | 1 Rapid7 | 1 Nexpose | 2018-01-31 | 6.8 MEDIUM | 8.8 HIGH |
| Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack. | |||||