Total
9135 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-25354 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with hidden fields to change passwords, email addresses, and profile details without user consent. | |||||
| CVE-2018-25343 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user. | |||||
| CVE-2018-25337 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML forms targeting account endpoints like /joomoc2/?route=account/edit and to modify user information or reset passwords without user consent. | |||||
| CVE-2018-25336 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page. | |||||
| CVE-2018-25334 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and bypass the CSRF protection, allowing for unauthorized changes to user data. This can be exploited by tricking a user into submitting a crafted form or by using a script to obtain and set the CSRF token. | |||||
| CVE-2018-25327 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modify component settings when administrators visit attacker-controlled pages. | |||||
| CVE-2018-25321 | 1 Tp-link | 2 Tl-wr720n, Tl-wr720n Firmware | 2026-06-17 | N/A | 4.3 MEDIUM |
| TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via VirtualServerRpm.htm or change WiFi security settings via WlanSecurityRpm.htm by tricking authenticated users into visiting attacker-controlled pages. | |||||
| CVE-2018-25310 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with valid credentials can leverage the CSRF vulnerability to inject and execute system commands through the Tools > System > Shell interface, gaining root-level access to the device. | |||||
| CVE-2018-25298 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system. | |||||
| CVE-2018-25200 | 1 Tomalofficial | 1 Php Oop Cms Blog | 2026-06-17 | N/A | 5.3 MEDIUM |
| OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role set to administrative privileges to gain unauthorized access. | |||||
| CVE-2018-25190 | 1 Rul10 | 1 Easyndexer | 2026-06-17 | N/A | 5.3 MEDIUM |
| Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username, password, name, surname, and privileges set to 1 for administrator access. | |||||
| CVE-2018-25186 | 1 Tina4 | 1 Tina4 Stack | 2026-06-17 | N/A | 5.3 MEDIUM |
| Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers can craft HTML forms targeting the /kim/profile endpoint with hidden fields containing malicious user data like passwords and email addresses to update administrator accounts without authentication. | |||||
| CVE-2018-25177 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. Attackers can send requests to dca_resetpw.php with parameters updateuser, pass, pass2, and submit_reset to change the admin account password and gain administrative access. | |||||
| CVE-2018-25176 | 2026-06-17 | N/A | 8.2 HIGH | ||
| Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution. | |||||
| CVE-2018-25174 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and email to change admin account settings without authentication. | |||||
| CVE-2018-25170 | 2026-06-17 | N/A | 8.2 HIGH | ||
| DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. Attackers can send GET requests to the lesson.php endpoint with malicious SQL payloads to extract sensitive database information. | |||||
| CVE-2018-25156 | 1 Teradek | 2 Cube, Cube Firmware | 2026-06-17 | N/A | 4.3 MEDIUM |
| Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit password change requests to the device's system configuration interface. | |||||
| CVE-2018-25155 | 1 Teradek | 2 Slice, Slice Firmware | 2026-06-17 | N/A | 4.3 MEDIUM |
| Teradek Slice 7.3.15 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page that automatically submits password change requests to the device when a logged-in user visits the page. | |||||
| CVE-2018-25152 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials. | |||||
| CVE-2018-25151 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page. | |||||