Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-5963 | 1 Zoho | 1 Salesiq | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2019-5960 | 1 Custom4web | 1 Wp Open Graph | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in WP Open Graph 1.6.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2019-5924 | 1 Rednao | 1 Smart Forms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.
|
|||||
| CVE-2019-5920 | 1 Ncrafts | 1 Formcraft | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in FormCraft 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.
|
|||||
| CVE-2019-5814 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
|
|||||
| CVE-2019-5630 | 1 Rapid7 | 1 Nexpose | 2024-11-21 | 6.8 MEDIUM | 5.9 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.
|
|||||
| CVE-2019-5431 | 1 Twitter | 1 Twitter Kit | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
This vulnerability was caused by an incomplete fix to CVE-2017-0911. Twitter Kit for iOS versions 3.0 to 3.4.0 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter" authentication information is passed back to the application using the registered custom URL scheme (typically twitterkit-<consumer-key>) on iOS. Because the callback handler did not verify the authenticity o ...
Show More |
|||||
| CVE-2019-5430 | 1 Ui | 1 Unifi Video | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.
|
|||||
| CVE-2019-5318 | 2 Arubanetworks, Siemens | 3 Arubaos, Scalance W1750d, Scalance W1750d Firmware | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
|
A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS that address this security vulnerability.
|
|||||
| CVE-2019-4750 | 1 Ibm | 1 Cloud App Management | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Cloud App Management 2019.3.0 and 2019.4.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 173310.
|
|||||
| CVE-2019-4736 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
IBM Financial Transaction Manager 3.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172706.
|
|||||
| CVE-2019-4726 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172363.
|
|||||
| CVE-2019-4613 | 1 Ibm | 1 Planning Analytics | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 168524.
|
|||||
| CVE-2019-4515 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 165137.
|
|||||
| CVE-2019-4231 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159356.
|
|||||
| CVE-2019-4212 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159132.
|
|||||
| CVE-2019-4167 | 1 Ibm | 1 Storediq | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
IBM StoredIQ 7.6.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158700.
|
|||||
| CVE-2019-4142 | 1 Ibm | 1 Cloud Private | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158338.
|
|||||
| CVE-2019-4117 | 1 Ibm | 1 Cloud Private | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158116.
|
|||||
| CVE-2019-4095 | 1 Ibm | 1 Cloud Pak System | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
|
|||||
| CVE-2019-3959 | 1 Wallaceit | 1 Wallacepos | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery in WallacePOS 1.4.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
|
|||||
| CVE-2019-3876 | 1 Redhat | 1 Openshift Container Platform | 2024-11-21 | 4.3 MEDIUM | 6.3 MEDIUM |
|
A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens.
|
|||||
| CVE-2019-3864 | 1 Redhat | 1 Quay | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account.
|
|||||
| CVE-2019-3809 | 1 Moodle | 1 Moodle | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
|
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
|
|||||
| CVE-2019-3718 | 1 Dell | 1 Supportassist | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.
|
|||||
| CVE-2019-3604 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | 6.8 MEDIUM | 4.8 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in McAfee ePO (legacy) Cloud allows unauthenticated users to perform unintended ePO actions using an authenticated user's session via unspecified vectors.
|
|||||
| CVE-2019-3410 | 1 Zte | 2 Wf820\+ Lte Outdoor Cpe, Wf820\+ Lte Outdoor Cpe Firmware | 2024-11-21 | 6.8 MEDIUM | 4.6 MEDIUM |
|
All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by Cross-Site Request Forgery vulnerability,which stems from the fact that WEB applications do not adequately verify whether requests come from trusted users. An attacker can exploit this vulnerability to send unexpected requests to the server through the affected client.
|
|||||
| CVE-2019-25064 | 1 Theaccessgroup | 1 Corehr Core Portal | 2024-11-21 | 6.8 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in CoreHR Core Portal up to 27.0.7. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross site request forgery. It is possible to launch the attack remotely. Upgrading to version 27.0.8 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2019-20891 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
|
|||||
| CVE-2019-20865 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
|
|||||
| CVE-2019-20841 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
|
|||||
| CVE-2019-20804 | 1 Gilacms | 1 Gila Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
|
|||||
| CVE-2019-20691 | 1 Netgear | 24 D3600, D3600 Firmware, D6000 and 21 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Certain NETGEAR devices are affected by CSRF. This affects D3600 before 1.0.0.72, D6000 before 1.0.0.72, EX3700 before 1.0.0.70, EX3800 before 1.0.0.70, EX6000 before 1.0.0.30, EX6100 before 1.0.2.24, EX6120 before 1.0.0.40, EX6130 before 1.0.0.22, EX6150v1 before 1.0.0.42, EX6200 before 1.0.3.88, EX7000 before 1.0.0.66, and WN2500RPv2 before 1.0.1.54.
|
|||||
| CVE-2019-20487 | 1 Netgear | 2 Wnr1000, Wnr1000 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the setup.cgi?todo=save_htp_account URI.
|
|||||
| CVE-2019-20480 | 1 Miele | 2 Xgw 3000 Zigbee Gateway, Xgw 3000 Zigbee Gateway Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection.
|
|||||
| CVE-2019-20415 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.
|
|||||
| CVE-2019-20411 | 1 Atlassian | 3 Jira, Jira Data Center, Jira Server | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
|
|||||
| CVE-2019-20405 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.
|
|||||
| CVE-2019-20401 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.
|
|||||
| CVE-2019-20390 | 1 Intelliants | 1 Subrion | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.
|
|||||