Total
7671 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-7822 | 1 Buffalotech | 2 Wnc01wh, Wnc01wh Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows remote attackers to hijack the authentication of a logged in user to perform unintended operations via unspecified vectors. | |||||
| CVE-2017-1000092 | 1 Jenkins | 1 Git | 2025-04-20 | 2.6 LOW | 7.5 HIGH |
| Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. | |||||
| CVE-2014-9137 | 1 Huawei | 11 Fusionmanager, Usg2100, Usg2100 Firmware and 8 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V300R001C00; USG2100 with software V300R001C00SPC900 and earlier versions; USG2200 with software V300R001C00SPC900; USG5100 with software V300R001C00SPC900 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface. | |||||
| CVE-2017-15729 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary. | |||||
| CVE-2017-1000069 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF in Bitly oauth2_proxy 2.1 during authentication flow | |||||
| CVE-2015-0276 | 1 Kallithea-scm | 1 Kallithea | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Kallithea before 0.2. | |||||
| CVE-2015-9233 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php. | |||||
| CVE-2015-5182 | 1 Redhat | 1 Amq | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ. | |||||
| CVE-2016-3406 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456. | |||||
| CVE-2017-7926 | 1 Osisoft | 1 Pi Web Api | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery issue was discovered in OSIsoft PI Web API versions prior to 2017 (1.9.0). The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated. | |||||
| CVE-2016-2965 | 1 Ibm | 1 Sametime | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846. | |||||
| CVE-2017-12703 | 1 Westermo | 8 Mrd-305-din, Mrd-305-din Firmware, Mrd-315-din and 5 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. | |||||
| CVE-2016-4311 | 1 Wso2 | 1 Identity Server | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request. | |||||
| CVE-2017-8875 | 1 Codection | 1 Clean Login | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL. | |||||
| CVE-2016-7980 | 1 Spip | 1 Spip | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code. | |||||
| CVE-2017-6086 | 1 Vimbadmin | 1 Vimbadmin | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, (2) remove an administrator user via a crafted GET request to <vimbadmin directory>/application/controllers/DomainController.php, (3) change an administrator password via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, (4) add a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, (5) delete a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, (6) archive a mailbox address via a crafted GET request to <vimbadmin directory>/application/controllers/ArchiveController.php, (7) add an alias address via a crafted POST request to <vimbadmin directory>/application/controllers/AliasController.php, or (8) remove an alias address via a crafted GET request to <vimbadmin directory>/application/controllers/AliasController.php. | |||||
| CVE-2017-10677 | 1 Linksys | 2 Ea4500, Ea4500 Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices with Firmware Version before 2.1.41.164606, as demonstrated by a request to apply.cgi to disable SIP. | |||||
| CVE-2017-7851 | 2 D-link, Dlink | 2 Dcs-936l, Dcs-936l | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header. | |||||
| CVE-2017-14956 | 1 Alienvault | 1 Unified Security Management | 2025-04-20 | 3.5 LOW | 5.7 MEDIUM |
| AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local download, the script also offers the possibility to send out any report via email to a given address (either in PDF or XLS format). Since there is no anti-CSRF token protecting this functionality, it is vulnerable to Cross-Site Request Forgery attacks. | |||||
| CVE-2017-7969 | 1 Schneider-electric | 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. | |||||