Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15779 | 1 Quadlayers | 1 Wp Social Feed Gallery | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The insta-gallery plugin before 2.4.8 for WordPress has no nonce validation for qligg_dismiss_notice or qligg_form_item_delete.
|
|||||
| CVE-2019-15770 | 1 Hallme | 1 Woocommerce Address Book | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The woo-address-book plugin before 1.6.0 for WordPress has save calls without nonce verification checks.
|
|||||
| CVE-2019-15769 | 1 Haktansuren | 1 Handl Utm Grabber | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via add_option and update_option.
|
|||||
| CVE-2019-15660 | 1 Butlerblog | 1 Wp-members | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The wp-members plugin before 3.2.8 for WordPress has CSRF.
|
|||||
| CVE-2019-15648 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.
|
|||||
| CVE-2019-15645 | 1 Zoho | 1 Salesiq | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.
|
|||||
| CVE-2019-15515 | 1 Discourse | 1 Discourse | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Discourse 2.3.2 sends the CSRF token in the query string.
|
|||||
| CVE-2019-15496 | 1 Manageyourteam | 1 Myt Project Management | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
|
|||||
| CVE-2019-15491 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21.
|
|||||
| CVE-2019-15329 | 1 Codection | 1 Import Users From Csv With Meta | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has CSRF.
|
|||||
| CVE-2019-15238 | 1 Cformsii Project | 1 Cformsii | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field.
|
|||||
| CVE-2019-15229 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
|
|||||
| CVE-2019-15150 | 1 Schine.games | 1 Mw-oauth2client | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
|
|||||
| CVE-2019-15128 | 1 If.svnadmin Project | 1 If.svnadmin | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
iF.SVNAdmin through 1.6.2 allows svnadmin/usercreate.php CSRF to create a user.
|
|||||
| CVE-2019-15115 | 1 Profilepress | 1 Loginwp | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
|
|||||
| CVE-2019-15114 | 1 Ncrafts | 1 Formcraft | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
|
|||||
| CVE-2019-15113 | 1 Codeermeneer | 1 Companion Sitemap Generator | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
|
|||||
| CVE-2019-15089 | 1 Prise | 1 Adas | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in PRiSE adAS 1.7.0. Forms have no CSRF protection, letting an attacker execute actions as the administrator.
|
|||||
| CVE-2019-15062 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
|
|||||
| CVE-2019-15040 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
|
|||||
| CVE-2019-14999 | 1 Atlassian | 1 Universal Plugin Manager | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.
|
|||||
| CVE-2019-14998 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
|
|||||
| CVE-2019-14933 | 1 Webkul | 1 Bagisto | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Bagisto 0.1.5 allows CSRF under /admin URIs.
|
|||||
| CVE-2019-14836 | 1 Redhat | 1 3scale | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks.
|
|||||
| CVE-2019-14703 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A CSRF issue was discovered in webparam?user&action=set¶m=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account.
|
|||||
| CVE-2019-14683 | 1 Codection | 1 Import Users From Csv With Meta | 2024-11-21 | 4.9 MEDIUM | 5.7 MEDIUM |
|
The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.
|
|||||
| CVE-2019-14682 | 1 Acf\ | 1 Better Search Project | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF.
|
|||||
| CVE-2019-14681 | 1 Deny All Firewall Project | 1 Deny All Firewall | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF.
|
|||||
| CVE-2019-14680 | 1 Mijnpress | 1 Admin-renamer-extended | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
|
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
|
|||||
| CVE-2019-14679 | 1 Reputeinfosystems | 1 Arprice Lite | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF.
|
|||||
| CVE-2019-14551 | 1 Daskeyboard | 4 Das Keyboard 4q, Das Keyboard 5q, Das Keyboard X50q and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers download and execution of code within a ZIP archive.
|
|||||
| CVE-2019-14526 | 1 Netgear | 2 Mr1100, Mr1100 Firmware | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore can be embedded in third party pages, and re-used against the Nighthawk web interface. This entirely bypasses the intended security benefits of the use of a CSRF-protection token.
|
|||||
| CVE-2019-14481 | 1 Adremsoft | 1 Netcrunch | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover.
|
|||||
| CVE-2019-14346 | 1 Schben | 1 Adive | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CSRF to change a user password.
|
|||||
| CVE-2019-14328 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section.
|
|||||
| CVE-2019-14327 | 1 Custom Simple Rss Project | 1 Custom Simple Rss | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings.
|
|||||
| CVE-2019-14304 | 1 Ricoh | 104 M 2700, M 2700 Firmware, M 2701 and 101 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Ricoh SP C250DN 1.06 devices allow CSRF.
|
|||||
| CVE-2019-14240 | 1 Wcms | 1 Wcms | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI.
|
|||||
| CVE-2019-14228 | 1 Angry-frog | 1 Xavier | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username will reflect via the error page. Due to the lack of CSRF protection on the admin/includes/adminprocess.php endpoint, an attacker is able to chain the XSS with CSRF in order to cause remote exploitation.
|
|||||
| CVE-2019-14216 | 1 Wp Svg Icons Project | 1 Wp Svg Icons | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads to upload of a ZIP archive containing a .php file.
|
|||||