Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-5263 | 1 Cambiumnetworks | 10 Cnpilot E400, Cnpilot E400 Firmware, Cnpilot E410 and 7 more | 2025-04-20 | 5.4 MEDIUM | 8.0 HIGH |
|
Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any web application function, especially destructive ones.
|
|||||
| CVE-2017-5657 | 1 Apache | 1 Archiva | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
|
Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).
|
|||||
| CVE-2016-4886 | 1 Basercms | 1 Basercms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2017-5368 | 1 Zoneminder | 1 Zoneminder | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Usernam ...
Show More |
|||||
| CVE-2017-7556 | 1 Hawt | 1 Hawtio | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user.
|
|||||
| CVE-2017-12838 | 1 Nexusphp Project | 1 Nexusphp | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows remote attackers to hijack the authentication of users for requests that (1) send manas via a request to mybonus.php or (2) add administrators via unspecified vectors.
|
|||||
| CVE-2017-12593 | 1 Asus | 2 Dsl-n10s Firmware, Dsl-n10s Router | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
ASUS DSL-N10S V2.1.16_APAC devices allow CSRF.
|
|||||
| CVE-2016-5809 | 1 Schneider-electric | 6 Ion5000, Ion7300, Ion7500 and 3 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved.
|
|||||
| CVE-2017-6080 | 1 Zammad | 1 Zammad | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie and receive the result.
|
|||||
| CVE-2015-4089 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the optionsPageRequest function in admin.php in WP Fastest Cache plugin before 0.8.3.5 for WordPress allow remote attackers to hijack the authentication of unspecified victims for requests that call the (1) saveOption, (2) deleteCache, (3) deleteCssAndJsCache, or (4) addCacheTimeout method via the wpFastestCachePage parameter in the WpFastestCacheOptions/ page.
|
|||||
| CVE-2017-6066 | 1 Intelliants | 1 Subrion Cms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker can perform any Edit Language action, and can optionally insert XSS via the title parameter.
|
|||||
| CVE-2017-16563 | 1 Grandstream | 2 Ht802, Ht802 Firmware | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update.
|
|||||
| CVE-2016-6806 | 1 Apache | 1 Wicket | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
|
|||||
| CVE-2016-4881 | 1 Basercms | 1 Basercms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2016-9092 | 1 Symantec | 2 Content Analysis, Mail Threat Defense | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail Threat Defense (MTD) 1.1 management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote attacker can use phishing or other social engineering techniques to access the management console with the privileges of an authenticated administrator user.
|
|||||
| CVE-2016-8369 | 1 Lynxspring | 1 Jenesys Bas Bridge | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request (CROSS-SITE REQUEST FORGERY).
|
|||||
| CVE-2016-4928 | 1 Juniper | 1 Junos Space | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross site request forgery vulnerability in Junos Space before 15.2R2 allows remote attackers to perform certain administrative actions on Junos Space.
|
|||||
| CVE-2017-17830 | 1 Doditsolutions | 1 Bus Booking Script | 2025-04-20 | 6.0 MEDIUM | 6.8 MEDIUM |
|
Bus Booking Script has CSRF via admin/new_master.php.
|
|||||
| CVE-2017-2244 | 1 Brother | 2 Mfc-j960dwn, Mfc-j960dwn Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in MFC-J960DWN firmware ver.D and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2016-7904 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request.
|
|||||
| CVE-2016-6033 | 1 Ibm | 2 Tivoli Storage Flashcopy Manager For Vmware, Tivoli Storage Manager For Virtual Environments Data Protection For Vmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
IBM Tivoli Storage Manager for Virtual Environments 7.1 (VMware) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1995545.
|
|||||
| CVE-2015-8624 | 1 Mediawiki | 1 Mediawiki | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623.
|
|||||
| CVE-2015-2143 | 1 Phpbugtracker Project | 1 Phpbugtracker | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.
|
|||||
| CVE-2017-17982 | 1 Muslim Matrimonial Script Project | 1 Muslim Matrimonial Script | 2025-04-20 | 6.0 MEDIUM | 6.8 MEDIUM |
|
PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.
|
|||||
| CVE-2017-8874 | 1 Acquia | 1 Mautic | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
|
|||||
| CVE-2017-5528 | 1 Tibco | 3 Jasperreports Server, Jaspersoft, Jaspersoft Reporting And Analytics | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of this vulnerability includes the theoretical disclosure of sensitive information. Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6 ...
Show More |
|||||
| CVE-2017-6069 | 1 Intelliants | 1 Subrion Cms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add any tag, and can optionally insert XSS via the tags parameter.
|
|||||
| CVE-2016-4879 | 1 Basercms | 2 Basercms, Mail | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
|
|||||
| CVE-2014-8900 | 1 Ibm | 1 Urbancode Deploy | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in IBM UrbanCode Release 6.0.1.6 and earlier, 6.1.0.7 and earlier, and 6.1.1.1 and earlier.
|
|||||
| CVE-2017-9519 | 1 Atmail | 1 Atmail | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
atmail before 7.8.0.2 has CSRF, allowing an attacker to create a user account.
|
|||||
| CVE-2017-1000092 | 1 Jenkins | 1 Git | 2025-04-20 | 2.6 LOW | 7.5 HIGH |
|
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.
|
|||||
| CVE-2017-9415 | 1 Subsonic | 1 Subsonic | 2025-04-20 | 5.1 MEDIUM | 7.5 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.
|
|||||
| CVE-2017-7447 | 1 Helpdezk | 1 Helpdezk | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote execution of arbitrary PHP code.
|
|||||
| CVE-2017-7851 | 2 D-link, Dlink | 2 Dcs-936l, Dcs-936l | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
|
|||||
| CVE-2017-6379 | 1 Drupal | 1 Drupal | 2025-04-20 | 5.1 MEDIUM | 7.5 HIGH |
|
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
|
|||||
| CVE-2016-1265 | 1 Juniper | 1 Junos Space | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery (CSRF), default authentication credentials, information leak and command injection attack vectors. All versions of Juniper Networks Junos Space prior to 15.1R3 are affected.
|
|||||
| CVE-2016-4876 | 1 Basercms | 1 Basercms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors.
|
|||||
| CVE-2017-11646 | 1 Netcomm | 2 4gt101w Bootloader, 4gt101w Software | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 are vulnerable to CSRF attacks, as demonstrated by using administration.html to disable the firewall. They does not contain any token that can mitigate CSRF vulnerabilities within the device.
|
|||||
| CVE-2015-9233 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.
|
|||||
| CVE-2016-4891 | 1 Setucocms Project | 1 Setucocms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors.
|
|||||