CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2018-7733 352 CSRF 2018-03-06 2018-03-26
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html.
602 CVE-2018-7724 79 XSS CSRF 2018-03-06 2018-03-26
3.5
None Remote Medium Single system None Partial None
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
603 CVE-2018-7723 79 XSS CSRF 2018-03-06 2018-03-26
3.5
None Remote Medium Single system None Partial None
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
604 CVE-2018-7722 79 XSS CSRF 2018-03-06 2018-03-26
3.5
None Remote Medium Single system None Partial None
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
605 CVE-2018-7720 352 CSRF 2018-03-07 2018-03-28
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability exists in Western Bridge Cobub Razor 0.7.2 via /index.php?/user/createNewUser/, resulting in account creation.
606 CVE-2018-7701 352 CSRF 2018-03-14 2018-04-06
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in SecurEnvoy SecurMail before 9.2.501 allow remote attackers to hijack the authentication of arbitrary users for requests that (1) delete e-mail messages via a delete action in a request to secmail/getmessage.exe or (2) spoof arbitrary users and reply to their messages via a request to secserver/securectrl.exe.
607 CVE-2018-7700 352 Exec Code CSRF 2018-03-27 2018-04-19
6.8
None Remote Medium Not required Partial Partial Partial
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
608 CVE-2018-7677 352 CSRF 2018-03-14 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Server component.
609 CVE-2018-7634 352 CSRF 2018-03-01 2018-03-22
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover.
610 CVE-2018-7590 352 CSRF 2018-03-01 2018-03-16
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation.
611 CVE-2018-7565 352 CSRF 2018-03-07 2018-03-26
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists on Polycom QDX 6000 devices.
612 CVE-2018-7524 352 CSRF 2018-03-22 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an unauthorized user to be added to the system.
613 CVE-2018-7308 352 CSRF 2018-02-21 2018-03-16
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account.
614 CVE-2018-7307 352 CSRF 2018-03-06 2018-03-28
6.8
None Remote Medium Not required Partial Partial Partial
The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
615 CVE-2018-7305 20 CSRF 2018-02-21 2018-03-16
4.0
None Remote Low Single system None Partial None
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
616 CVE-2018-7219 352 CSRF 2018-02-19 2018-03-14
6.8
None Remote Medium Not required Partial Partial Partial
application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.
617 CVE-2018-7216 352 CSRF 2018-02-18 2018-03-16
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.
618 CVE-2018-7176 352 CSRF 2018-02-15 2018-03-14
6.8
None Remote Medium Not required Partial Partial Partial
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
619 CVE-2018-7097 352 CSRF 2018-08-14 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery.
620 CVE-2018-7060 352 CSRF 2018-08-06 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.
621 CVE-2018-6941 352 Exec Code XSS CSRF 2018-02-20 2018-03-13
6.8
None Remote Medium Not required Partial Partial Partial
A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.
622 CVE-2018-6940 79 Exec Code XSS CSRF 2018-02-20 2018-10-09
4.3
None Remote Medium Not required None Partial None
A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.
623 CVE-2018-6934 352 CSRF 2018-04-12 2018-05-11
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3.
624 CVE-2018-6907 CSRF 2018-11-01 2018-11-01
0.0
None ??? ??? ??? ??? ??? ???
A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via the REST API.
625 CVE-2018-6888 352 CSRF 2018-02-11 2018-03-06
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
626 CVE-2018-6874 352 CSRF 2018-04-04 2018-05-15
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
627 CVE-2018-6656 352 CSRF 2018-02-06 2018-03-13
5.8
None Remote Medium Not required None Partial Partial
Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.
628 CVE-2018-6563 352 CSRF 2018-06-20 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti-CSRF token.
629 CVE-2018-6504 352 CSRF 2018-09-20 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).
630 CVE-2018-6497 352 CSRF 2018-06-15 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Server version DDM Content Pack V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).
631 CVE-2018-6496 352 CSRF 2018-06-15 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Browser version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1 which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).
632 CVE-2018-6467 352 CSRF 2018-02-06 2018-02-28
6.8
None Remote Medium Not required Partial Partial Partial
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
633 CVE-2018-6458 352 CSRF 2018-05-11 2018-06-13
6.8
None Remote Medium Not required Partial Partial Partial
Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
634 CVE-2018-6408 352 CSRF 2018-01-30 2018-02-27
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
635 CVE-2018-6391 352 CSRF 2018-01-29 2018-02-14
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
636 CVE-2018-6357 352 XSS CSRF 2018-01-27 2018-02-15
6.8
None Remote Medium Not required Partial Partial Partial
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
637 CVE-2018-6342 352 Exec Code CSRF 2018-12-31 2019-10-09
9.3
None Remote Medium Not required Complete Complete Complete
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
638 CVE-2018-6288 352 CSRF 2018-02-06 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
639 CVE-2018-6224 352 CSRF 2018-03-15 2018-04-04
6.8
None Remote Medium Not required Partial Partial Partial
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
640 CVE-2018-6023 352 CSRF 2018-05-11 2018-06-14
6.8
None Remote Medium Not required Partial Partial Partial
Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts including Wi-Fi password changing, Guest Wi-Fi activating, etc.
641 CVE-2018-6009 352 CSRF 2018-01-22 2018-02-09
6.8
None Remote Medium Not required Partial Partial Partial
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
642 CVE-2018-6007 352 CSRF 2018-01-29 2018-02-15
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
643 CVE-2018-5976 352 CSRF 2018-01-24 2018-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.
644 CVE-2018-5969 352 CSRF 2018-01-24 2018-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.
645 CVE-2018-5921 352 CSRF 2018-10-03 2018-11-27
6.8
None Remote Medium Not required Partial Partial Partial
A potential security vulnerability has been identified with certain HP printers and MFPs in 2405129_000052 and other firmware versions. This vulnerability is known as Cross Site Request Forgery, and could potentially be exploited remotely to allow elevation of privilege.
646 CVE-2018-5720 352 CSRF 2018-01-29 2018-02-21
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc.
647 CVE-2018-5673 352 CSRF 2018-01-12 2018-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.
648 CVE-2018-5669 352 CSRF 2018-01-12 2018-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php.
649 CVE-2018-5658 352 CSRF 2018-01-12 2018-01-25
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php.
650 CVE-2018-5656 352 CSRF 2018-01-12 2018-01-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php.
Total number of vulnerabilities : 2521   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 (This Page)14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.