Total
9125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9413 | 1 Subsonic | 1 Subsonic | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks. | |||||
| CVE-2017-9381 | 1 Getvera | 4 Veraedge, Veraedge Firmware, Veralite and 1 more | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who navigates to an attacker controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device. | |||||
| CVE-2017-9379 | 1 Bigtreecms | 1 Bigtree Cms | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | |||||
| CVE-2017-9365 | 1 Bigtreecms | 1 Bigtree Cms | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked. | |||||
| CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | |||||
| CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2026-06-17 | 5.0 MEDIUM | 8.6 HIGH |
| In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | |||||
| CVE-2017-9033 | 1 Trendmicro | 1 Serverprotect | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows remote attackers to hijack the authentication of users for requests to start an update from an arbitrary source via a crafted request to SProtectLinux/scanoption_set.cgi, related to the lack of anti-CSRF tokens. | |||||
| CVE-2017-8930 | 1 Simpleinvoices | 1 Simple Invoices | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Simple Invoices 2013.1.beta.8 allow remote attackers to hijack the authentication of admins for requests that can (1) create new administrator user accounts and take over the entire application, (2) create regular user accounts, or (3) change configuration parameters such as tax rates and the enable/disable status of PayPal payment modules. | |||||
| CVE-2017-8928 | 1 Mailcow | 1 Mailcow\ | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF. | |||||
| CVE-2017-8875 | 1 Codection | 1 Clean Login | 2026-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL. | |||||
| CVE-2017-8874 | 1 Acquia | 1 Mautic | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts. | |||||
| CVE-2017-8848 | 1 Allen Disk Project | 1 Allen Disk | 2026-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password. | |||||
| CVE-2017-8836 | 1 Peplink | 12 1350hw2 Firmware, 2500 Firmware, 380hw6 Firmware and 9 more | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. | |||||
| CVE-2017-8407 | 1 Dlink | 2 Dcs-1130, Dcs-1130 Firmware | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change the user's password. | |||||
| CVE-2017-8406 | 1 Dlink | 2 Dcs-1130, Dcs-1130 Firmware | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield. | |||||
| CVE-2017-8382 | 1 Admidio | 1 Admidio | 2026-06-17 | 3.5 LOW | 4.5 MEDIUM |
| admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts. | |||||
| CVE-2017-8334 | 1 Securifi | 6 Almond, Almond\+, Almond\+firmware and 3 more | 2026-06-17 | 6.0 MEDIUM | 8.0 HIGH |
| An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking IP addresses using the web management interface. It seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site scripting payload on the user's browser and execute any action on the device provided by the web management interface. | |||||
| CVE-2017-8328 | 1 Securifi | 6 Almond, Almond\+, Almond\+firmware and 3 more | 2026-06-17 | 9.3 HIGH | 8.8 HIGH |
| An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue. | |||||
| CVE-2017-8138 | 1 Huawei | 1 Hedex Lite | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and interrupt normal services. | |||||
| CVE-2017-8101 | 1 S9y | 1 Serendipity | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request. | |||||