Total
5481 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-10127 | 1 Xyhcms Project | 1 Xyhcms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role. | |||||
CVE-2018-12354 | 1 Knowage-suite | 1 Knowage | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Knowage (formerly SpagoBI) 6.1.1 allows CSRF via every form, as demonstrated by a /knowage/restful-services/2.0/analyticalDrivers/ POST request. | |||||
CVE-2018-6009 | 1 Yiiframework | 1 Yiiframework | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | |||||
CVE-2018-8718 | 1 Jenkins | 1 Mailer | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. | |||||
CVE-2018-10803 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. | |||||
CVE-2017-0933 | 1 Ubnt | 1 Edgeos | 2023-12-10 | 8.5 HIGH | 8.0 HIGH |
Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from a Cross-Site Request Forgery (CSRF) vulnerability. An attacker with access to an operator (read-only) account could lure an admin (root) user to access the attacker-controlled page, allowing the attacker to gain admin privileges in the system. | |||||
CVE-2017-7641 | 1 Qnap | 2 Media Streaming Add-on, Qts | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utilize CSRF protections. | |||||
CVE-2018-9923 | 1 Icmsdev | 1 Icms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. | |||||
CVE-2018-7305 | 1 Mybb | 1 Mybb | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | |||||
CVE-2017-3965 | 1 Mcafee | 1 Network Security Manager | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrieving internal system information or manipulating the database via specially crafted URLs. | |||||
CVE-2018-8979 | 1 Open-audit | 1 Open-audit | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI. | |||||
CVE-2014-2675 | 1 Wp-html-sitemap Project | 1 Wp-html-sitemap | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in wp-admin/options-general.php. | |||||
CVE-2018-12574 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
CSRF exists for all actions in the web interface on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices. | |||||
CVE-2018-13032 | 1 Ecessa | 2 Shieldlink Sl175ehq, Shieldlink Sl175ehq Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
ECESSA ShieldLink SL175EHQ 10.7.4 devices have CSRF to add superuser accounts via the cgi-bin/pl_web.cgi/util_configlogin_act URI. | |||||
CVE-2018-7565 | 1 Polycom | 2 Qdx 6000, Qdx 6000 Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
CSRF exists on Polycom QDX 6000 devices. | |||||
CVE-2018-6458 | 1 Ehcp | 1 Easy Hosting Control Panel | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | |||||
CVE-2018-11538 | 1 Searchblox | 1 Searchblox | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass. | |||||
CVE-2018-11679 | 1 Cmseasy | 1 Cmseasy | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability that can add an article via /index.php?case=table&act=add&table=archive&admin_dir=admin. | |||||
CVE-2018-12603 | 1 Lfdycms | 1 Lfcms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in admin.php in LFCMS 3.7.0 allows remote attackers to hijack the authentication of unspecified users for requests that add administrator users via the s parameter, a related issue to CVE-2018-12114. | |||||
CVE-2018-11447 | 1 Siemens | 2 Scalance M875, Scalance M875 Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by an legitimate user, who must be authenticated to the web interface as administrative user. A successful attack could allow an attacker to interact with the web interface as an administrative user. This could allow the attacker to read or modify the device configuration, or to exploit other vulnerabilities that require authentication as administrative user. At the time of advisory publication no public exploitation of this security vulnerability was known. |