Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13974 | 1 Layerbb | 1 Layerbb | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
LayerBB 1.1.3 allows conversations.php/cmd/new CSRF.
|
|||||
| CVE-2019-13961 | 1 Flatcore | 1 Flatcore | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
|
|||||
| CVE-2019-13949 | 1 Syguestbook A5 Project | 1 Syguestbook A5 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demonstrated by CSRF for an index.php?c=Administrator&a=update admin password change.
|
|||||
| CVE-2019-13930 | 1 Siemens | 1 Xhq | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to rea ...
Show More |
|||||
| CVE-2019-13920 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulner ...
Show More |
|||||
| CVE-2019-13611 | 1 Python-engineio Project | 1 Python-engineio | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
|
|||||
| CVE-2019-13594 | 1 Mirumee | 1 Saleor | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.
|
|||||
| CVE-2019-13563 | 1 Dlink | 2 Dir-655, Dir-655 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.
|
|||||
| CVE-2019-13529 | 1 Sma | 2 Sunny Webbox, Sunny Webbox Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.
|
|||||
| CVE-2019-13516 | 1 Osisoft | 1 Pi Web Api | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.
|
|||||
| CVE-2019-13497 | 1 Oneidentity | 1 Cloud Access Manager | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.
|
|||||
| CVE-2019-13477 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
|
|||||
| CVE-2019-13401 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/.
|
|||||
| CVE-2019-13395 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF against all /goform/ URIs. An attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file.
|
|||||
| CVE-2019-13376 | 1 Phpbb | 1 Phpbb | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
|
|||||
| CVE-2019-13370 | 1 Ignitedcms | 1 Ignitedcms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator.
|
|||||
| CVE-2019-13364 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
|
|||||
| CVE-2019-13363 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
|
|||||
| CVE-2019-13199 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
|
|||||
| CVE-2019-13183 | 1 Flarum | 1 Flarum | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
|
|||||
| CVE-2019-13170 | 1 Xerox | 2 Phaser 3320, Phaser 3320 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
|
|||||
| CVE-2019-13071 | 1 Cyberpowersystems | 1 Powerpanel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page.
|
|||||
| CVE-2019-13056 | 1 Cyberpanel | 1 Cyberpanel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection.
|
|||||
| CVE-2019-12934 | 1 Wp-code-highlightjs Project | 1 Wp-code-highlightjs | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
|
|||||
| CVE-2019-12923 | 1 Mailenable | 1 Mailenable | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
|
|||||
| CVE-2019-12922 | 2 Fedoraproject, Phpmyadmin | 2 Fedora, Phpmyadmin | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
|
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.
|
|||||
| CVE-2019-12851 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
|
|||||
| CVE-2019-12836 | 1 Bobronix | 1 Jeditor | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.
|
|||||
| CVE-2019-12826 | 1 Wpchef | 1 Widget Logic | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.
|
|||||
| CVE-2019-12784 | 1 Verint | 1 Impact 360 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess and potentially compromise valid credentials without ever sending any traffic from their own machine to the target site.
|
|||||
| CVE-2019-12769 | 1 Solarwinds | 1 Serv-u Managed File Transfer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.
|
|||||
| CVE-2019-12636 | 1 Cisco | 216 Sf200-24, Sf200-24 Firmware, Sf200-24fp and 213 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the at ...
Show More |
|||||
| CVE-2019-12624 | 1 Cisco | 19 5760 Wireless Lan Controller, Catalyst 3650-12x48uq, Catalyst 3650-12x48ur and 16 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A ...
Show More |
|||||
| CVE-2019-12616 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
|
|||||
| CVE-2019-12502 | 1 Mobotix | 2 S14, S14 Firmware | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 cameras, as demonstrated by adding an admin account via the /admin/access URI.
|
|||||
| CVE-2019-12466 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Wikimedia MediaWiki through 1.32.1 allows CSRF.
|
|||||
| CVE-2019-12437 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
|
|||||
| CVE-2019-12363 | 1 Mybb-2fa Project | 1 Mybb-2fa | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action=mybb2fa&do=activate). A deactivate operation lowers the security of the targeted account by disabling two factor authentication.
|
|||||
| CVE-2019-12361 | 1 Phome | 1 Empirecms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php, as demonstrated by a CSRF payload that changes the dynamic page template. The attacker can choose to resend the e/template/member/regsend.php registered activation mail page.
|
|||||
| CVE-2019-12273 | 1 Outsystems | 1 Outsystems | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. NOTE: The product is self-hosted by the customer, even though it has a *.outsystemsenterprise.com domain name.) NOTE: The vendor claims that the independent researcher created the report without any type of validation and that no such vulnerability exists
|
|||||