Total
7286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12790 | 1 Metinfo | 1 Metinfo | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state. | |||||
| CVE-2017-12789 | 1 Metinfo | 1 Metinfo | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the malicious link in the login state. | |||||
| CVE-2017-12415 | 1 Oxid-esales | 1 Eshop | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition before 6.0.0 RC2 (development), 4.9.x before 4.9.10 (legacy) and 4.10.x before 4.10.5 (maintenance) allow remote attackers to hijack the cart session of a client via Cross-Site Request Forgery (CSRF) if the following pre-conditions are met: (1) the attacker knows which shop is presently used by the client, (2) the attacker knows the exact time when the customer will add product items to the cart, (3) the attacker knows which product items are already in the cart (has to know their article IDs), and (4) the attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order. | |||||
| CVE-2017-12126 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability. | |||||
| CVE-2017-11649 | 1 Draytek | 2 Vigorap 910c, Vigorap 910c Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to hijack the authentication of unspecified users for requests that enable SNMP on the remote device via vectors involving goform/setSnmp. | |||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | |||||
| CVE-2017-1000499 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. | |||||
| CVE-2017-1000479 | 2 Netgate, Opnsense Project | 2 Pfsense, Opnsense | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions. | |||||
| CVE-2017-1000432 | 1 Vanillaforums | 1 Vanilla Forums | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access | |||||
| CVE-2017-1000356 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | |||||
| CVE-2017-0933 | 1 Ubnt | 1 Edgeos | 2024-11-21 | 8.5 HIGH | 8.0 HIGH |
| Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from a Cross-Site Request Forgery (CSRF) vulnerability. An attacker with access to an operator (read-only) account could lure an admin (root) user to access the attacker-controlled page, allowing the attacker to gain admin privileges in the system. | |||||
| CVE-2017-0362 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | |||||
| CVE-2016-8513 | 1 Hp | 1 Version Control Repository Manager | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in HPE Version Control Repository Manager (VCRM) was found. The problem impacts all versions prior to 7.6. | |||||
| CVE-2016-7067 | 1 Mmonit | 1 Monit | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Monit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a specific service. | |||||
| CVE-2016-6578 | 1 Filecloud | 1 Filecloud | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CodeLathe FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. | |||||
| CVE-2016-6557 | 1 Asus | 14 Ea-n66, Ea-n66 Firmware, Rp-ac52 and 11 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. | |||||
| CVE-2016-3098 | 1 Thoughtbot | 1 Administrate | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code. | |||||
| CVE-2016-15009 | 1 Openacs | 1 Bug-tracker | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in OpenACS bug-tracker. Affected is an unknown function of the file lib/nav-bar.adp of the component Search. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is aee43e5714cd8b697355ec3bf83eefee176d3fc3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217440. | |||||
| CVE-2016-11085 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element. | |||||
| CVE-2016-11084 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF. | |||||