Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6366 | 1 Netgear | 5 Dgn2200 Firmware, Dgn2200v1, Dgn2200v2 and 2 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.
|
|||||
| CVE-2017-3877 | 1 Cisco | 1 Unified Communications Manager | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information: CSCvb70021. Known Affected Releases: 11.5(1.11007.2).
|
|||||
| CVE-2017-6803 | 1 Solarwinds | 1 Ftp Voyager | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the scheduler, or (3) possibly execute arbitrary commands via crafted requests to Admin/XML/Result.xml.
|
|||||
| CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
|
|||||
| CVE-2016-0355 | 1 Ibm | 1 Sametime | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894.
|
|||||
| CVE-2016-4885 | 1 Basercms | 1 Basercms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Feed version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2017-5959 | 1 Metalgenix | 1 Genixcms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a token.
|
|||||
| CVE-2017-17930 | 1 Ordermanagementscript | 1 Professional Service Script | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.
|
|||||
| CVE-2017-15735 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary.
|
|||||
| CVE-2014-9565 | 1 Ibm | 4 En6131, En6131 Firmware, Ib6131 and 1 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware 3.4.0000 and earlier.
|
|||||
| CVE-2017-5145 | 1 Carlosgavazzi | 4 Vmu-c Em, Vmu-c Em Firmware, Vmu-c Pv and 1 more | 2025-04-20 | 7.5 HIGH | 10.0 CRITICAL |
|
An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
|
|||||
| CVE-2017-2238 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier and Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2014-9137 | 1 Huawei | 11 Fusionmanager, Usg2100, Usg2100 Firmware and 8 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V300R001C00; USG2100 with software V300R001C00SPC900 and earlier versions; USG2200 with software V300R001C00SPC900; USG5100 with software V300R001C00SPC900 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface.
|
|||||
| CVE-2017-5244 | 1 Rapid7 | 1 Metasploit | 2025-04-20 | 3.5 LOW | 3.5 LOW |
|
Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prev ...
Show More |
|||||
| CVE-2017-6918 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
|
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
|
|||||
| CVE-2017-2682 | 1 Siemens | 1 Ruggedcom Network Management Software | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
|
|||||
| CVE-2017-1000244 | 1 Jenkins | 1 Favorite | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification
|
|||||
| CVE-2017-17774 | 1 Piwigo | 1 Piwigo | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
admin/configuration.php in Piwigo 2.9.2 has CSRF.
|
|||||
| CVE-2015-2878 | 1 Watchguard | 1 Hawkeye G | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist.
|
|||||
| CVE-2015-4619 | 1 Denkgroot | 1 Spina | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in Spina before commit bfe44f289e336f80b6593032679300c493735e75.
|
|||||
| CVE-2017-5489 | 1 Wordpress | 1 Wordpress | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
|
|||||
| CVE-2017-14011 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting in changes to the configuration of the device.
|
|||||
| CVE-2016-5937 | 1 Ibm | 1 Kenexa Lcms Premier | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
|
|||||
| CVE-2016-4882 | 1 Basercms | 1 Basercms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2017-12651 | 1 Loginizer | 1 Loginizer | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross Site Request Forgery (CSRF) exists in the Blacklist and Whitelist IP Wizard in init.php in the Loginizer plugin before 1.3.6 for WordPress because the HTTP Referer header is not checked.
|
|||||
| CVE-2017-14267 | 1 Ee | 2 4gee Wifi Mbb, 4gee Wifi Mbb Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related to goform/AddNewProfile, goform/setWanDisconnect, goform/setSMSAutoRedirectSetting, goform/setReset, and goform/uploadBackupSettings.
|
|||||
| CVE-2017-6042 | 1 Sierra Wireless | 4 Airlink Raven Xe, Airlink Raven Xe Firmware, Airlink Raven Xt and 1 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.
|
|||||
| CVE-2016-0720 | 3 Clusterlabs, Fedoraproject, Redhat | 3 Pcs, Fedora, Enterprise Linux | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
|
|||||
| CVE-2017-7881 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
|
|||||
| CVE-2016-3691 | 1 Kallithea-scm | 1 Kallithea | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.
|
|||||
| CVE-2017-8099 | 1 Browserweb Inc | 1 Whizz | 2025-04-20 | 5.8 MEDIUM | 8.1 HIGH |
|
There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing attackers to delete any WordPress users and change the plugin's status via a GET request.
|
|||||
| CVE-2017-7666 | 1 Apache | 1 Openmeetings | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
|
|||||
| CVE-2017-1442 | 1 Ibm | 1 Emptoris Services Procurement | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 128107.
|
|||||
| CVE-2017-17990 | 1 Iwcnetwork | 1 Biometric Shift Employee Management System | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.
|
|||||
| CVE-2017-8138 | 1 Huawei | 1 Hedex Lite | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and interrupt normal services.
|
|||||
| CVE-2017-2688 | 1 Siemens | 1 Ruggedcom Rox I | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow remote attackers to perform actions with the privileges of an authenticated user, provided the targeted user has an active session and is induced into clicking on a malicious link or into visiting a malicious website, aka CSRF.
|
|||||
| CVE-2016-8737 | 1 Apache | 1 Brooklyn | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker's commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.
|
|||||
| CVE-2017-14925 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site.
|
|||||
| CVE-2015-3191 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integratio ...
Show More |
|||||
| CVE-2017-7926 | 1 Osisoft | 1 Pi Web Api | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery issue was discovered in OSIsoft PI Web API versions prior to 2017 (1.9.0). The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated.
|
|||||