CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2018-10554 79 XSS CSRF 2018-04-29 2018-06-05
3.5
None Remote Medium Single system None Partial None
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter.
552 CVE-2018-10503 352 CSRF 2018-04-27 2018-06-06
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser.
553 CVE-2018-10312 352 CSRF 2018-04-23 2018-05-24
6.8
None Remote Medium Not required Partial Partial Partial
index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.
554 CVE-2018-10295 352 CSRF 2018-04-22 2018-05-25
6.8
None Remote Medium Not required Partial Partial Partial
ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.
555 CVE-2018-10267 352 CSRF 2018-04-21 2018-05-25
6.8
None Remote Medium Not required Partial Partial Partial
WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI.
556 CVE-2018-10266 352 CSRF 2018-04-21 2018-05-25
6.8
None Remote Medium Not required Partial Partial Partial
BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user URI.
557 CVE-2018-10265 352 CSRF 2018-04-21 2018-05-25
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI.
558 CVE-2018-10249 352 CSRF 2018-04-20 2018-05-22
6.8
None Remote Medium Not required Partial Partial Partial
baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name=manager&do=user to add an administrator account.
559 CVE-2018-10248 352 CSRF 2018-04-20 2018-05-21
5.8
None Remote Medium Not required None Partial Partial
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete.
560 CVE-2018-10233 352 CSRF 2018-04-23 2019-10-06
6.8
None Remote Medium Not required Partial Partial Partial
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.
561 CVE-2018-10232 352 +Info CSRF 2018-07-11 2018-09-08
4.3
None Remote Medium Not required Partial None None
Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified vectors.
562 CVE-2018-10224 352 CSRF 2018-04-19 2018-05-17
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html.
563 CVE-2018-10223 352 CSRF 2018-04-19 2018-05-17
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html.
564 CVE-2018-10222 352 CSRF 2018-04-19 2018-05-22
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP.
565 CVE-2018-10188 352 CSRF 2018-04-19 2018-05-21
6.8
None Remote Medium Not required Partial Partial Partial
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php.
566 CVE-2018-10185 352 CSRF 2018-04-17 2018-05-21
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call.
567 CVE-2018-10166 352 CSRF 2018-05-03 2018-06-12
6.8
None Remote Medium Not required Partial Partial Partial
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.
568 CVE-2018-10137 352 CSRF 2018-04-16 2018-05-22
6.8
None Remote Medium Not required Partial Partial Partial
iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI.
569 CVE-2018-10132 352 CSRF 2018-04-16 2018-05-22
6.8
None Remote Medium Not required Partial Partial Partial
PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter.
570 CVE-2018-10127 352 CSRF 2018-04-16 2018-05-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role.
571 CVE-2018-10117 352 CSRF 2018-04-16 2018-05-18
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.
572 CVE-2018-10099 352 +Info CSRF 2018-11-20 2018-12-18
4.3
None Remote Medium Not required Partial None None
Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports.
573 CVE-2018-10048 352 CSRF 2018-04-11 2018-05-09
6.8
None Remote Medium Not required Partial Partial Partial
iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel.
574 CVE-2018-10031 352 CSRF 2018-04-11 2018-04-13
6.8
None Remote Medium Not required Partial Partial Partial
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
575 CVE-2018-10030 352 CSRF 2018-04-11 2018-04-13
6.8
None Remote Medium Not required Partial Partial Partial
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.
576 CVE-2018-9927 352 CSRF 2018-04-10 2018-05-30
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
577 CVE-2018-9926 352 CSRF 2018-04-10 2018-05-30
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
578 CVE-2018-9923 352 CSRF 2018-04-10 2018-04-17
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
579 CVE-2018-9856 352 CSRF 2018-04-09 2018-05-15
6.8
None Remote Medium Not required Partial Partial Partial
Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request.
580 CVE-2018-9281 352 XSS CSRF 2018-10-24 2018-12-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently.
581 CVE-2018-9186 79 Exec Code XSS CSRF 2018-05-31 2019-04-22
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.
582 CVE-2018-9169 79 XSS CSRF 2018-04-16 2018-05-18
3.5
None Remote Medium Single system None Partial None
Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.
583 CVE-2018-9153 434 Exec Code CSRF 2018-04-16 2018-05-23
6.5
None Remote Low Single system Partial Partial Partial
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF.
584 CVE-2018-9134 352 Exec Code CSRF 2018-03-30 2018-04-23
6.8
None Remote Medium Not required Partial Partial Partial
file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.
585 CVE-2018-9108 352 CSRF 2018-03-28 2018-04-20
6.8
None Remote Medium Not required Partial Partial Partial
CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges.
586 CVE-2018-9092 352 CSRF 2018-03-27 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.
587 CVE-2018-8979 352 XSS CSRF 2018-03-25 2018-04-18
6.8
None Remote Medium Not required Partial Partial Partial
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.
588 CVE-2018-8972 352 CSRF 2018-03-24 2018-04-24
6.8
None Remote Medium Not required Partial Partial Partial
Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters.
589 CVE-2018-8925 352 CSRF 2018-06-08 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter.
590 CVE-2018-8908 352 CSRF 2018-03-31 2018-05-09
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin privileges. This happens due to lack of an anti-CSRF token in state modification requests.
591 CVE-2018-8893 352 Exec Code CSRF 2018-03-31 2018-05-01
6.8
None Remote Medium Not required Partial Partial Partial
Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
592 CVE-2018-8892 352 CSRF 2018-12-20 2019-01-03
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery (CSRF) vulnerability in the Management Console of BlackBerry UEM versions earlier than 12.9.1 could allow an attacker to make modifications to the UEM settings in the context of a Management Console administrator.
593 CVE-2018-8817 352 CSRF 2018-03-25 2019-06-10
6.8
None Remote Medium Not required Partial Partial Partial
Wampserver before 3.1.3 has CSRF in add_vhost.php.
594 CVE-2018-8814 352 CSRF 2018-04-04 2018-05-09
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.
595 CVE-2018-8811 352 CSRF 2018-03-20 2018-04-13
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation.
596 CVE-2018-8764 352 CSRF 2018-03-27 2018-04-20
6.8
None Remote Medium Not required Partial Partial Partial
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging.
597 CVE-2018-8718 352 CSRF 2018-03-27 2018-06-07
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
598 CVE-2018-8717 352 CSRF 2018-03-14 2018-04-09
6.8
None Remote Medium Not required Partial Partial Partial
joyplus-cms 1.6.0 has CSRF, as demonstrated by adding an administrator account via a manager/admin_ajax.php?action=save&tab={pre}manager request.
599 CVE-2018-8580 200 +Info CSRF 2018-12-11 2019-01-08
4.3
None Remote Medium Not required Partial None None
An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF), aka "Microsoft SharePoint Information Disclosure Vulnerability." This affects Microsoft SharePoint.
600 CVE-2018-7828 352 CSRF 2019-05-22 2019-05-28
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera when an authenticated user clicks a specially crafted malicious link while logged into the camera.
Total number of vulnerabilities : 2521   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.