Total
5486 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-16314 | 1 Icmsdev | 1 Icms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header. | |||||
CVE-2019-0267 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application. | |||||
CVE-2019-6510 | 1 Creditease-sec | 1 Insight | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows CSRF. | |||||
CVE-2018-19291 | 1 Dilicms | 1 Dilicms | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI. | |||||
CVE-2018-20576 | 1 Orange | 2 Arv7519rw22 Livebox 2.1, Arv7519rw22 Livebox 2.1 Firmware | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. | |||||
CVE-2018-18735 | 1 Catfish-cms | 1 Catfish Blog | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A CSRF issue was discovered in admin/Index/tiquan in catfish blog 2.0.33. | |||||
CVE-2018-18934 | 1 Popojicms | 1 Popojicms | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF. | |||||
CVE-2018-15193 | 1 Gogs | 1 Gogs | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | |||||
CVE-2019-1003012 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift Container Platform | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. | |||||
CVE-2018-9281 | 1 Eaton | 2 9px Ups, 9px Ups Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently. | |||||
CVE-2018-20595 | 1 Hsweb | 1 Hsweb | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. | |||||
CVE-2018-14926 | 1 Matera | 1 Banco | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request. | |||||
CVE-2018-19334 | 1 Google | 1 Monorail | 2023-12-10 | 4.3 MEDIUM | 5.3 MEDIUM |
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports. | |||||
CVE-2018-13989 | 1 Arcelikas | 2 Grundig Smart Inter\@ctive, Grundig Smart Inter\@ctive Firmware | 2023-12-10 | 8.3 HIGH | 8.8 HIGH |
Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device. | |||||
CVE-2018-17869 | 1 Dasan | 2 H660gw, H660gw Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
DASAN H660GW devices do not implement any CSRF protection mechanism. | |||||
CVE-2018-15845 | 1 Gleezcms | 1 Gleez Cms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
There is a CSRF vulnerability that can add an administrator account in Gleez CMS 1.2.0 via admin/users/add. | |||||
CVE-2018-15565 | 1 Simple-cms Project | 1 Simple Cms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in daveismyname simple-cms through 2014-03-11. admin/addpage.php does not require authentication for adding a page. This can also be exploited via CSRF. | |||||
CVE-2018-14966 | 1 Emlsoft Project | 1 Emlsoft | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF. | |||||
CVE-2018-17023 | 1 Asus | 2 Gt-ac5300, Gt-ac5300 Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm. | |||||
CVE-2018-16732 | 1 Chshcms | 1 Cscms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
\upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save. |