Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7746 | 1 Cobub | 1 Razor | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin.
|
|||||
| CVE-2018-7733 | 1 Yxtcmf | 1 Yxtcmf | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html.
|
|||||
| CVE-2018-7724 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
|
|||||
| CVE-2018-7720 | 1 Cobub | 1 Razor | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability exists in Western Bridge Cobub Razor 0.7.2 via /index.php?/user/createNewUser/, resulting in account creation.
|
|||||
| CVE-2018-7701 | 1 Securenvoy | 1 Securmail | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in SecurEnvoy SecurMail before 9.2.501 allow remote attackers to hijack the authentication of arbitrary users for requests that (1) delete e-mail messages via a delete action in a request to secmail/getmessage.exe or (2) spoof arbitrary users and reply to their messages via a request to secserver/securectrl.exe.
|
|||||
| CVE-2018-7700 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
|
|||||
| CVE-2018-7677 | 1 Netiq | 1 Access Manager | 2024-11-21 | 6.8 MEDIUM | 3.5 LOW |
|
A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component.
|
|||||
| CVE-2018-7634 | 1 Enalean | 1 Tuleap | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover.
|
|||||
| CVE-2018-7590 | 1 Hoosk | 1 Hoosk | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation.
|
|||||
| CVE-2018-7565 | 1 Polycom | 2 Qdx 6000, Qdx 6000 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CSRF exists on Polycom QDX 6000 devices.
|
|||||
| CVE-2018-7524 | 1 Geutebrueck | 4 G-cam\/efd-2250, G-cam\/efd-2250 Firmware, Topfd-2125 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an unauthorized user to be added to the system.
|
|||||
| CVE-2018-7308 | 1 Hosting Project | 1 Hosting | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account.
|
|||||
| CVE-2018-7307 | 1 Auth0 | 1 Auth0.js | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
|
|||||
| CVE-2018-7305 | 1 Mybb | 1 Mybb | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
|
|||||
| CVE-2018-7219 | 1 5none | 1 Nonecms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.
|
|||||
| CVE-2018-7216 | 1 Tejari | 1 Bravo Solution | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.
|
|||||
| CVE-2018-7176 | 1 Frontaccounting | 1 Frontaccounting | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
|
|||||
| CVE-2018-7097 | 1 Hp | 1 3par Service Provider | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery.
|
|||||
| CVE-2018-7060 | 1 Arubanetworks | 1 Clearpass | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.
|
|||||
| CVE-2018-6941 | 1 Nat32 | 1 Nat32 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.
|
|||||
| CVE-2018-6940 | 1 Nat32 | 1 Nat32 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.
|
|||||
| CVE-2018-6934 | 1 Ordermanagementscript | 1 Online Tutoring Script | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3.
|
|||||
| CVE-2018-6907 | 1 Rainmachine | 1 Rainmachine Web Application | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via the REST API.
|
|||||
| CVE-2018-6888 | 1 Typesettercms | 1 Typesetter | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
|
|||||
| CVE-2018-6874 | 1 Auth0 | 1 Auth0.js | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
|
|||||
| CVE-2018-6656 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
|
Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.
|
|||||
| CVE-2018-6651 | 2 Parsecgaming, Uncurl Project | 2 Parsec, Uncurl | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
|
|||||
| CVE-2018-6563 | 1 Totemo | 1 Encryption Gateway | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti-CSRF token.
|
|||||
| CVE-2018-6504 | 1 Microfocus | 1 Arcsight Management Center | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).
|
|||||
| CVE-2018-6497 | 1 Microfocus | 2 Cms Server, Universal Cmbd Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Server version DDM Content Pack V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).
|
|||||
| CVE-2018-6496 | 1 Microfocus | 1 Universal Cmbd Browser | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Browser version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1 which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).
|
|||||
| CVE-2018-6467 | 1 Flickrrss Project | 1 Flickrrss | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
|
|||||
| CVE-2018-6458 | 1 Ehcp | 1 Easy Hosting Control Panel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
|
|||||
| CVE-2018-6408 | 1 Conceptronic | 3 Cipcamptiwl, Cipcamptiwl Firmware, Cipcamptiwl Web Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
|
|||||
| CVE-2018-6391 | 1 Netis-systems | 2 Wf2419, Wf2419 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
|
|||||
| CVE-2018-6357 | 1 Acurax | 1 Social Media Widget | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
|
|||||
| CVE-2018-6288 | 1 Kaspersky | 1 Secure Mail Gateway | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
|
|||||
| CVE-2018-6224 | 1 Trendmicro | 1 Email Encryption Gateway | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
|
|||||
| CVE-2018-6023 | 1 Fastweb | 2 Fastgate, Fastgate Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts including Wi-Fi password changing, Guest Wi-Fi activating, etc.
|
|||||
| CVE-2018-6009 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
|
|||||