Vulnerabilities (CVE)

Filtered by CWE-352
Total 5281 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-20015 1 Yzmcms 1 Yzmcms 2023-12-10 6.8 MEDIUM 8.8 HIGH
YzmCMS v5.2 has admin/role/add.html CSRF.
CVE-2018-20780 1 Traq 1 Traq 2023-12-10 6.8 MEDIUM 8.8 HIGH
Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka group_id=1).
CVE-2018-15402 1 Cisco 1 Enterprise Network Virtualization Software 2023-12-10 6.8 MEDIUM 8.8 HIGH
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks. The vulnerability is due to improper validation of Origin headers on HTTP requests within the management interface. An attacker could exploit this vulnerability by convincing a targeted user to follow a URL to a malicious website. An exploit could allow the attacker to take actions within the software with the privileges of the targeted user or gain access to sensitive information.
CVE-2018-17826 1 Hisiphp 1 Hisiphp 2023-12-10 6.8 MEDIUM 8.8 HIGH
HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico).
CVE-2018-18935 1 Popojicms 1 Popojicms 2023-12-10 6.8 MEDIUM 8.8 HIGH
An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.
CVE-2017-12126 1 Moxa 2 Edr-810, Edr-810 Firmware 2023-12-10 6.8 MEDIUM 8.8 HIGH
An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
CVE-2018-6497 1 Microfocus 2 Cms Server, Universal Cmbd Server 2023-12-10 6.8 MEDIUM 8.8 HIGH
Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Server version DDM Content Pack V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).
CVE-2018-11003 1 Yxcms 1 Yxcms 2023-12-10 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.
CVE-2018-7216 1 Tejari 1 Bravo Solution 2023-12-10 6.0 MEDIUM 8.0 HIGH
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.
CVE-2018-6357 1 Acurax 1 Social Media Widget 2023-12-10 6.8 MEDIUM 8.8 HIGH
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
CVE-2018-9927 1 Wuzhicms 1 Wuzhicms 2023-12-10 6.8 MEDIUM 8.8 HIGH
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
CVE-2018-10166 1 Tp-link 1 Eap Controller 2023-12-10 6.8 MEDIUM 8.8 HIGH
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.
CVE-2017-9963 1 Schneider-electric 1 Powerscada Anywhere 2023-12-10 5.8 MEDIUM 8.1 HIGH
A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.
CVE-2018-12583 1 Akcms Project 1 Akcms 2023-12-10 5.8 MEDIUM 6.5 MEDIUM
An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php.
CVE-2018-0509 1 Kkcald Project 1 Kkcald 2023-12-10 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.
CVE-2018-13445 1 Seacms 1 Seacms 2023-12-10 6.8 MEDIUM 8.8 HIGH
An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add a user account via adm1n/admin_manager.php?action=add.
CVE-2015-7610 2 Synacor, Zimbra 2 Zimbra Collaboration Suite, Zimbra Collaboration Suite 2023-12-10 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.
CVE-2016-0272 1 Ibm 1 Financial Transaction Manager 2023-12-10 6.0 MEDIUM 8.0 HIGH
Cross-site request forgery (CSRF) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and Financial Transaction Manager (FTM) for Corporate Payment Services (CPS) for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013 allows remote attackers to hijack the authentication of arbitrary users via unspecified vectors. IBM X-Force ID: 111052.
CVE-2018-1000013 1 Jenkins 1 Release 2023-12-10 6.8 MEDIUM 8.8 HIGH
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
CVE-2018-6934 1 Ordermanagementscript 1 Online Tutoring Script 2023-12-10 6.8 MEDIUM 8.8 HIGH
CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3.