Total
5454 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-15177 | 1 Gxlcms | 1 Gxlcms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account. | |||||
CVE-2018-17104 | 1 Microweber | 1 Microweber | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user. | |||||
CVE-2018-16387 | 1 Elefantcms | 1 Elefantcms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add. | |||||
CVE-2018-14908 | 1 Samsung | 1 Syncthru Web Service | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action. | |||||
CVE-2018-18246 | 1 Icinga | 1 Icinga Web 2 | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. | |||||
CVE-2018-19332 | 1 S-cms | 1 S-cms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI. | |||||
CVE-2018-19225 | 1 Laobancms | 1 Laobancms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in LAOBANCMS 2.0. admin/mima.php has CSRF. | |||||
CVE-2018-16314 | 1 Icmsdev | 1 Icms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header. | |||||
CVE-2019-0267 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application. | |||||
CVE-2019-6510 | 1 Creditease-sec | 1 Insight | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows CSRF. | |||||
CVE-2018-19291 | 1 Dilicms | 1 Dilicms | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI. | |||||
CVE-2018-20576 | 1 Orange | 2 Arv7519rw22 Livebox 2.1, Arv7519rw22 Livebox 2.1 Firmware | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. | |||||
CVE-2018-18735 | 1 Catfish-cms | 1 Catfish Blog | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A CSRF issue was discovered in admin/Index/tiquan in catfish blog 2.0.33. | |||||
CVE-2018-18934 | 1 Popojicms | 1 Popojicms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF. | |||||
CVE-2018-15193 | 1 Gogs | 1 Gogs | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | |||||
CVE-2019-1003012 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift Container Platform | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | |||||
CVE-2018-9281 | 1 Eaton | 2 9px Ups, 9px Ups Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently. | |||||
CVE-2018-20595 | 1 Hsweb | 1 Hsweb | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. | |||||
CVE-2018-14926 | 1 Matera | 1 Banco | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request. | |||||
CVE-2018-19334 | 1 Google | 1 Monorail | 2023-12-10 | 4.3 MEDIUM | 5.3 MEDIUM |
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports. |