Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1003076 | 1 Jenkins | 1 Audit To Database | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003058 | 1 Jenkins | 1 Ftp Publisher | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003046 | 1 Jenkins | 1 Fortify On Demand Uploader | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003044 | 1 Jenkins | 1 Slack Notification | 2024-11-21 | 2.1 LOW | 7.1 HIGH |
|
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2019-1003022 | 1 Jenkins | 1 Monitoring | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.
|
|||||
| CVE-2019-1003017 | 1 Jenkins | 1 Job Import | 2024-11-21 | 2.6 LOW | 5.3 MEDIUM |
|
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration.
|
|||||
| CVE-2019-1003016 | 1 Jenkins | 1 Job Import | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, ca ...
Show More |
|||||
| CVE-2019-1003012 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift Container Platform | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to by ...
Show More |
|||||
| CVE-2019-1003010 | 2 Jenkins, Redhat | 2 Git, Openshift Container Platform | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
|
|||||
| CVE-2019-1003008 | 1 Jenkins | 1 Warnings Next Generation | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
|
|||||
| CVE-2019-1003007 | 1 Jenkins | 1 Warnings | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
|
|||||
| CVE-2019-1000022 | 1 Taoensso | 1 Sente | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Taoensso Sente version Prior to version 1.14.0 contains a Cross Site Request Forgery (CSRF) vulnerability in WebSocket handshake endpoint that can result in CSRF attack, possible leak of anti-CSRF token. This attack appears to be exploitable via malicious request against WebSocket handshake endpoint. This vulnerability appears to have been fixed in 1.14.0 and later.
|
|||||
| CVE-2019-1000003 | 1 Mapsvg | 1 Mapsvg Lite | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later.
|
|||||
| CVE-2019-0398 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery.
|
|||||
| CVE-2019-0267 | 1 Sap | 1 Manufacturing Integration And Intelligence | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 and 15.2, (Illuminator Servlet) currently does not provide Anti-XSRF tokens. This might lead to XSRF attacks in case the data is being posted to the Servlet from an external application.
|
|||||
| CVE-2019-0235 | 1 Apache | 1 Ofbiz | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
|
|||||
| CVE-2019-0229 | 1 Apache | 1 Airflow | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.
|
|||||
| CVE-2018-9927 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
|
|||||
| CVE-2018-9926 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
|
|||||
| CVE-2018-9923 | 1 Icmsdev | 1 Icms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
|
|||||
| CVE-2018-9856 | 1 Kotti Project | 1 Kotti | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request.
|
|||||
| CVE-2018-9281 | 1 Eaton | 2 9px Ups, 9px Ups Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done sil ...
Show More |
|||||
| CVE-2018-9134 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.
|
|||||
| CVE-2018-9108 | 1 Quickappscms | 1 Quickapps Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges.
|
|||||
| CVE-2018-9092 | 1 1234n | 1 Minicms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.
|
|||||
| CVE-2018-8979 | 1 Open-audit | 1 Open-audit | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.
|
|||||
| CVE-2018-8972 | 1 Creditwestbank | 1 Cwcms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters.
|
|||||
| CVE-2018-8925 | 1 Synology | 1 Photo Station | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter.
|
|||||
| CVE-2018-8908 | 1 Frog Cms Project | 1 Frog Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin privileges. This happens due to lack of an anti-CSRF token in state modification requests.
|
|||||
| CVE-2018-8893 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
|
|||||
| CVE-2018-8892 | 1 Blackberry | 1 Unified Endpoint Manager | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in the Management Console of BlackBerry UEM versions earlier than 12.9.1 could allow an attacker to make modifications to the UEM settings in the context of a Management Console administrator.
|
|||||
| CVE-2018-8844 | 1 Philips | 1 E-alert Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
|
|||||
| CVE-2018-8817 | 1 Wampserver | 1 Wampserver | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Wampserver before 3.1.3 has CSRF in add_vhost.php.
|
|||||
| CVE-2018-8814 | 1 Wolfcms | 1 Wolf Cms | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
|
Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.
|
|||||
| CVE-2018-8811 | 1 Alkacon | 1 Opencms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows only registered users to upload different kind of content artifacts (SVG, .doc, .docx). The uploaded content is stored in the CMS content repository "as is". In case of scripts inside an SVG, this may or may not be "malic ...
Show More |
|||||
| CVE-2018-8764 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging.
|
|||||
| CVE-2018-8718 | 1 Jenkins | 1 Mailer | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
|
|||||
| CVE-2018-8717 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
joyplus-cms 1.6.0 has CSRF, as demonstrated by adding an administrator account via a manager/admin_ajax.php?action=save&tab={pre}manager request.
|
|||||
| CVE-2018-7831 | 1 Schneider-electric | 8 Modicom Bmxnor0200h, Modicom Bmxnor0200h Firmware, Modicom M340 and 5 more | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to send a specially crafted URL to a currently authenticated web server user to execute a password change on the web server.
|
|||||
| CVE-2018-7828 | 1 Schneider-electric | 118 D6220, D6220 Firmware, D6220l and 115 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera when an authenticated user clicks a specially crafted malicious link while logged into the camera.
|
|||||