CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
451 CVE-2018-14926 352 CSRF 2018-08-03 2018-10-02
6.8
None Remote Medium Not required Partial Partial Partial
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.
452 CVE-2018-14910 94 Exec Code CSRF 2018-08-03 2018-10-02
6.8
None Remote Medium Not required Partial Partial Partial
SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.
453 CVE-2018-14908 352 CSRF 2018-08-03 2018-09-27
6.8
None Remote Medium Not required Partial Partial Partial
Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action.
454 CVE-2018-14892 352 CSRF 2018-11-27 2018-12-26
6.8
None Remote Medium Not required Partial Partial Partial
Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms.
455 CVE-2018-14783 352 CSRF 2018-08-10 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.
456 CVE-2018-14769 352 CSRF 2018-09-05 2018-11-13
6.8
None Remote Medium Not required Partial Partial Partial
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.
457 CVE-2018-14711 352 CSRF 2019-05-13 2019-05-14
4.3
None Remote Medium Not required None Partial None
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs.
458 CVE-2018-14603 352 CSRF 2018-07-26 2018-09-18
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
459 CVE-2018-14583 352 CSRF 2018-07-24 2018-09-18
6.8
None Remote Medium Not required Partial Partial Partial
xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.
460 CVE-2018-14582 352 CSRF 2018-07-24 2018-09-18
6.8
None Remote Medium Not required Partial Partial Partial
index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account.
461 CVE-2018-14421 94 Exec Code CSRF 2018-07-19 2018-09-14
6.8
None Remote Medium Not required Partial Partial Partial
SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.
462 CVE-2018-14420 352 CSRF 2018-07-19 2018-09-14
6.8
None Remote Medium Not required Partial Partial Partial
MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.
463 CVE-2018-14331 352 CSRF 2018-07-16 2018-09-17
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.
464 CVE-2018-14069 352 CSRF 2018-07-15 2018-09-10
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add a user account via admin.php?m=Admin&c=member&a=add.
465 CVE-2018-14068 352 CSRF 2018-07-15 2018-09-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add an admin account via admin.php?m=Admin&c=manager&a=add.
466 CVE-2018-14057 352 CSRF 2018-08-17 2018-10-12
6.8
None Remote Medium Not required Partial Partial Partial
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
467 CVE-2018-14029 352 CSRF 2018-07-12 2018-09-06
6.8
None Remote Medium Not required Partial Partial Partial
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account, as demonstrated by modifying the account's email field.
468 CVE-2018-14014 352 CSRF 2018-07-12 2018-09-06
6.8
None Remote Medium Not required Partial Partial Partial
In waimai Super Cms 20150505, there is a CSRF vulnerability that can add an admin account via admin.php?m=Member&a=adminadd.
469 CVE-2018-13993 352 CSRF 2019-05-07 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 to 1.34 is prone to CSRF.
470 CVE-2018-13989 352 CSRF 2018-07-11 2018-09-06
8.3
None Remote Medium Not required Partial Partial Complete
Grundig Smart [email protected] TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device.
471 CVE-2018-13810 352 CSRF 2019-04-17 2019-07-11
4.3
None Remote Medium Not required None Partial None
A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known.
472 CVE-2018-13800 352 CSRF 2018-10-10 2019-10-09
4.9
None Remote Medium Single system Partial Partial None
A vulnerability has been identified in SIMATIC S7-1200 CPU family version 4 (All versions < V4.2.3). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify parts of the device configuration.
473 CVE-2018-13793 352 CSRF 2018-07-09 2018-09-07
6.8
None Remote Medium Not required Partial Partial Partial
Multiple Cross Site Request Forgery (CSRF) vulnerabilities in the HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 exist in Web Verification, Web Scanning, Web Capture, Monitoring and Administration, and Login.
474 CVE-2018-13445 352 CSRF 2018-07-08 2018-08-28
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add a user account via adm1n/admin_manager.php?action=add.
475 CVE-2018-13444 352 CSRF 2018-07-08 2018-08-28
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability that can add an admin account via adm1n/admin_manager.php?action=save&id=2.
476 CVE-2018-13407 352 CSRF 2018-07-06 2018-08-23
5.5
None Remote Low Single system None Partial Partial
A CSRF issue was discovered in Jirafeau before 3.4.1. The "delete file" feature on the admin panel is not protected against automated requests and could be abused.
477 CVE-2018-13402 601 CSRF 2018-10-23 2018-12-03
5.8
None Remote Medium Not required Partial Partial None
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
478 CVE-2018-13401 601 CSRF 2018-10-23 2018-12-03
5.8
None Remote Medium Not required Partial Partial None
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
479 CVE-2018-13398 352 CSRF 2018-09-18 2018-12-13
4.3
None Remote Medium Not required None Partial None
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.
480 CVE-2018-13394 352 CSRF 2018-08-15 2018-10-12
4.3
None Remote Medium Not required None Partial None
The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.
481 CVE-2018-13393 352 CSRF 2018-08-15 2018-10-12
4.3
None Remote Medium Not required None Partial None
The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.
482 CVE-2018-13340 352 CSRF 2018-07-05 2018-08-28
6.8
None Remote Medium Not required Partial Partial Partial
Gleez CMS 1.2.0 has CSRF, as demonstrated by a /page/add request.
483 CVE-2018-13067 352 CSRF 2018-07-02 2018-09-04
6.8
None Remote Medium Not required Partial Partial Partial
/upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/password URI to change a user's password.
484 CVE-2018-13040 352 CSRF 2018-07-01 2018-08-21
6.8
None Remote Medium Not required Partial Partial Partial
OpenSID 18.06-pasca has a CSRF vulnerability. This vulnerability can add an account (at the admin level) via the index.php/man_user/insert URI.
485 CVE-2018-13032 352 CSRF 2018-07-01 2018-08-31
6.8
None Remote Medium Not required Partial Partial Partial
ECESSA ShieldLink SL175EHQ 10.7.4 devices have CSRF to add superuser accounts via the cgi-bin/pl_web.cgi/util_configlogin_act URI.
486 CVE-2018-13031 352 CSRF 2018-07-05 2018-08-27
6.8
None Remote Medium Not required Partial Partial Partial
DamiCMS v6.0.0 allows CSRF via admin.php?s=/Admin/doadd to add an administrator account.
487 CVE-2018-13010 352 CSRF 2018-06-29 2018-08-24
6.8
None Remote Medium Not required Partial Partial Partial
WSTMall v1.9.1_170316 has CSRF via the index.php?m=Admin&c=Users&a=edit URI to add a user account.
488 CVE-2018-12990 200 +Info CSRF 2018-06-30 2018-08-28
5.0
None Remote Low Not required Partial None None
phpwcms 1.8.9 allows remote attackers to discover the installation path via an invalid csrf_token_value field.
489 CVE-2018-12971 352 CSRF 2018-06-29 2018-08-20
5.8
None Remote Medium Not required None Partial Partial
EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.
490 CVE-2018-12739 352 CSRF 2018-07-05 2018-08-27
6.8
None Remote Medium Not required Partial Partial Partial
In BEESCMS 4.0, CSRF allows administrators to be added arbitrarily, a related issue to CVE-2018-10266.
491 CVE-2018-12659 352 Bypass CSRF 2018-06-22 2018-08-08
6.8
None Remote Medium Not required Partial Partial Partial
SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter.
492 CVE-2018-12628 352 CSRF 2019-07-10 2019-07-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Eventum 3.5.0. CSRF in htdocs/manage/users.php allows creating another user with admin privileges.
493 CVE-2018-12603 352 CSRF 2018-06-25 2018-08-27
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin.php in LFCMS 3.7.0 allows remote attackers to hijack the authentication of unspecified users for requests that add administrator users via the s parameter, a related issue to CVE-2018-12114.
494 CVE-2018-12602 352 CSRF 2018-06-25 2018-08-27
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily.
495 CVE-2018-12583 352 CSRF 2018-06-19 2018-08-09
5.8
None Remote Medium Not required None Partial Partial
An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php.
496 CVE-2018-12582 352 CSRF 2018-06-19 2018-08-09
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in AKCMS 6.1. CSRF can add an admin account via a /index.php?file=account&action=manageaccounts&job=newaccount URI.
497 CVE-2018-12574 352 CSRF 2018-07-02 2018-09-04
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists for all actions in the web interface on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices.
498 CVE-2018-12540 352 CSRF 2018-07-12 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.
499 CVE-2018-12530 352 Dir. Trav. CSRF 2018-06-18 2018-08-10
5.8
None Remote Medium Not required None Partial Partial
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.
500 CVE-2018-12529 352 CSRF 2018-07-02 2018-09-05
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Intex N150 devices. The router firmware suffers from multiple CSRF injection point vulnerabilities including changing user passwords and router settings.
Total number of vulnerabilities : 2521   Page : 1 2 3 4 5 6 7 8 9 10 (This Page)11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.