CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-1000053 CSRF 2018-02-09 2018-02-09
0.0
None ??? ??? ??? ??? ??? ???
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint.
2 CVE-2018-1000014 352 CSRF 2018-01-23 2018-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
3 CVE-2018-1000013 352 CSRF 2018-01-23 2018-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
4 CVE-2018-7176 CSRF 2018-02-15 2018-02-15
0.0
None ??? ??? ??? ??? ??? ???
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
5 CVE-2018-6888 CSRF 2018-02-11 2018-02-11
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
6 CVE-2018-6656 CSRF 2018-02-06 2018-02-06
0.0
None ??? ??? ??? ??? ??? ???
Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.
7 CVE-2018-6467 CSRF 2018-02-06 2018-02-06
0.0
None ??? ??? ??? ??? ??? ???
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
8 CVE-2018-6408 CSRF 2018-01-30 2018-01-30
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
9 CVE-2018-6391 352 CSRF 2018-01-29 2018-02-14
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
10 CVE-2018-6357 352 XSS CSRF 2018-01-27 2018-02-15
6.8
None Remote Medium Not required Partial Partial Partial
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
11 CVE-2018-6288 CSRF 2018-02-06 2018-02-06
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
12 CVE-2018-6009 352 CSRF 2018-01-22 2018-02-09
6.8
None Remote Medium Not required Partial Partial Partial
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
13 CVE-2018-6007 352 CSRF 2018-01-29 2018-02-15
6.8
None Remote Medium Not required Partial Partial Partial
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
14 CVE-2018-5976 352 CSRF 2018-01-24 2018-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.
15 CVE-2018-5969 352 CSRF 2018-01-24 2018-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.
16 CVE-2018-5720 CSRF 2018-01-29 2018-01-29
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc.
17 CVE-2018-5673 352 CSRF 2018-01-12 2018-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.
18 CVE-2018-5669 352 CSRF 2018-01-12 2018-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php.
19 CVE-2018-5658 352 CSRF 2018-01-12 2018-01-25
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php.
20 CVE-2018-5656 352 CSRF 2018-01-12 2018-01-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php.
21 CVE-2018-5368 352 CSRF 2018-01-12 2018-01-29
6.8
None Remote Medium Not required Partial Partial Partial
The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtranslatoptions action to wp-admin/options-general.php.
22 CVE-2018-5361 79 XSS CSRF 2018-01-12 2018-01-23
6.8
None Remote Medium Not required Partial Partial Partial
The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php.
23 CVE-2018-5329 352 CSRF 2018-01-15 2018-02-05
6.8
None Remote Medium Not required Partial Partial Partial
ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
24 CVE-2018-5301 352 CSRF 2018-01-08 2018-02-02
5.8
None Remote Medium Not required None Partial Partial
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
25 CVE-2018-5285 352 CSRF 2018-01-08 2018-01-29
6.8
None Remote Medium Not required Partial Partial Partial
The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/options-general.php.
26 CVE-2018-5191 CSRF 2018-01-03 2018-01-03
0.0
None ??? ??? ??? ??? ??? ???
/usr/local/www/csrf/csrf-magic.php in the WebGUI in pfSense before 2.4.2-RELEASE allows Clickjacking on the CSRF error page because the error detection occurs before an X-Frame-Options header is set.
27 CVE-2018-5073 352 CSRF 2018-01-03 2018-01-17
6.0
None Remote Medium Single system Partial Partial Partial
Online Ticket Booking has CSRF via admin/movieedit.php.
28 CVE-2018-0785 352 CSRF 2018-01-09 2018-02-01
4.3
None Remote Medium Not required None None Partial
ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability".
29 CVE-2018-0509 352 CSRF 2018-02-01 2018-02-14
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.
30 CVE-2018-0107 352 CSRF 2018-01-18 2018-02-09
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the user of a web application into executing an adverse action. Cisco Bug IDs: CSCvg30313.
31 CVE-2017-1002150 601 CSRF 2017-09-14 2017-09-21
5.8
None Remote Medium Not required Partial Partial None
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection
32 CVE-2017-1000504 352 Exec Code CSRF 2018-01-24 2018-02-12
6.8
None Remote Medium Not required Partial Partial Partial
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
33 CVE-2017-1000499 352 CSRF 2018-01-03 2018-01-18
6.8
None Remote Medium Not required Partial Partial Partial
phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
34 CVE-2017-1000479 352 Exec Code CSRF 2018-01-03 2018-01-25
6.8
None Remote Medium Not required Partial Partial Partial
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.
35 CVE-2017-1000432 352 CSRF 2018-01-02 2018-01-17
6.0
None Remote Medium Single system Partial Partial Partial
Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access
36 CVE-2017-1000389 79 XSS CSRF 2018-01-25 2018-02-12
4.3
None Remote Medium Not required None Partial None
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
37 CVE-2017-1000244 352 CSRF 2017-11-01 2017-11-24
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification
38 CVE-2017-1000224 352 CSRF 2017-11-16 2017-12-03
4.3
None Remote Medium Not required None Partial None
CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin
39 CVE-2017-1000147 352 CSRF 2017-11-03 2017-11-15
6.0
None Remote Medium Single system Partial Partial Partial
Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account.
40 CVE-2017-1000093 352 CSRF 2017-10-04 2017-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.
41 CVE-2017-1000091 352 CSRF 2017-10-04 2017-10-17
6.8
None Remote Medium Not required Partial Partial Partial
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.
42 CVE-2017-1000090 352 CSRF 2017-10-04 2017-11-02
6.8
None Remote Medium Not required Partial Partial Partial
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.
43 CVE-2017-1000086 352 CSRF 2017-10-04 2017-11-02
6.0
None Remote Medium Single system Partial Partial Partial
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
44 CVE-2017-1000085 352 CSRF 2017-10-04 2017-11-02
4.3
None Remote Medium Not required Partial None None
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
45 CVE-2017-1000069 352 CSRF 2017-07-17 2017-07-20
6.8
None Remote Medium Not required Partial Partial Partial
CSRF in Bitly oauth2_proxy 2.1 during authentication flow
46 CVE-2017-1000045 352 Bypass CSRF 2017-07-17 2017-07-26
6.8
None Remote Medium Not required Partial Partial Partial
Mautic SSO/OAuth2 plugins are vulnerable to CSRF of the state parameter resulting in authentication bypass through clickjacking
47 CVE-2017-1000008 352 CSRF 2017-07-17 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user settings function allowing attackers to hijack the authentication of logged in users to modify account information, including their password.
48 CVE-2017-18081 79 XSS CSRF 2018-02-02 2018-02-13
4.3
None Remote Medium Not required None Partial None
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
49 CVE-2017-18080 352 CSRF 2018-02-02 2018-02-13
6.8
None Remote Medium Not required Partial Partial Partial
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
50 CVE-2017-18042 352 CSRF 2018-02-02 2018-02-13
6.8
None Remote Medium Not required Partial Partial Partial
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
Total number of vulnerabilities : 1717   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.