CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-6779 CSRF 2019-01-24 2019-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links.
2 CVE-2019-6510 352 CSRF 2019-01-22 2019-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in creditease-sec insight through 2018-09-11. user_delete in srcpm/app/admin/views.py allows CSRF.
3 CVE-2019-6509 352 CSRF 2019-01-22 2019-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in creditease-sec insight through 2018-09-11. depart_delete in srcpm/app/admin/views.py allows CSRF.
4 CVE-2019-6508 352 CSRF 2019-01-22 2019-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in creditease-sec insight through 2018-09-11. role_perm_delete in srcpm/app/admin/views.py allows CSRF.
5 CVE-2019-6507 352 CSRF 2019-01-22 2019-01-23
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in creditease-sec insight through 2018-09-11. login_user_delete in srcpm/app/admin/views.py allows CSRF.
6 CVE-2019-6294 352 CSRF 2019-01-15 2019-01-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in EasyCMS 1.5. There is CSRF via the index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent URI.
7 CVE-2019-6249 352 CSRF 2019-01-13 2019-01-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.
8 CVE-2019-6244 352 Exec Code CSRF 2019-01-11 2019-01-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in UsualToolCMS 8.0. cmsadmin/a_sqlbackx.php?t=sql allows CSRF attacks that can execute SQL statements, and consequently execute arbitrary PHP code by writing that code into a .php file.
9 CVE-2019-1658 CSRF 2019-01-24 2019-01-24
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections in the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious, customized link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device via a web browser and with the privileges of the user.
10 CVE-2018-1000858 CSRF 2018-12-20 2019-01-11
0.0
None ??? ??? ??? ??? ??? ???
GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.
11 CVE-2018-1000846 352 CSRF 2018-12-20 2019-01-08
6.8
None Remote Medium Not required Partial Partial Partial
FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later.
12 CVE-2018-1000843 CSRF 2018-12-20 2018-12-20
0.0
None ??? ??? ??? ??? ??? ???
Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later.
13 CVE-2018-1000669 352 CSRF 2018-09-06 2018-11-07
6.8
None Remote Medium Not required Partial Partial Partial
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.
14 CVE-2018-1000514 352 CSRF 2018-06-26 2018-08-20
4.3
None Remote Medium Not required None Partial None
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.
15 CVE-2018-1000510 284 DoS CSRF 2018-06-26 2018-08-21
4.0
None Remote Low Single system None None Partial
WP Image Zoom version 1.23 contains a Incorrect Access Control vulnerability in AJAX settings that can result in allows anybody to cause denial of service. This attack appear to be exploitable via Can be triggered intentionally (or unintentionally via CSRF) by any logged in user. This vulnerability appears to have been fixed in 1.24.
16 CVE-2018-1000507 352 CSRF 2018-06-26 2018-08-30
4.3
None Remote Medium Not required None Partial None
WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been fixed in 2.1.1.
17 CVE-2018-1000506 352 CSRF 2018-06-26 2018-08-30
6.8
None Remote Medium Not required Partial Partial Partial
Metronet Tag Manager version 1.2.7 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page /wp-admin/options-general.php?page=metronet-tag-manager that can result in allows anybody to do almost anything an admin can. This attack appear to be exploitable via Logged in user must follow a link. This vulnerability appears to have been fixed in 1.2.9.
18 CVE-2018-1000505 352 CSRF 2018-06-26 2018-08-30
4.3
None Remote Medium Not required None Partial None
Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been fixed in 5.1.
19 CVE-2018-1000417 352 CSRF 2019-01-09 2019-01-22
5.8
None Remote Medium Not required None Partial Partial
A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates.
20 CVE-2018-1000414 352 CSRF 2019-01-09 2019-01-22
5.8
None Remote Medium Not required None Partial Partial
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.
21 CVE-2018-1000411 CSRF 2019-01-09 2019-01-14
0.0
None ??? ??? ??? ??? ??? ???
A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.
22 CVE-2018-1000206 352 CSRF 2018-07-13 2018-09-07
6.8
None Remote Medium Not required Partial Partial Partial
JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1.
23 CVE-2018-1000153 352 DoS CSRF 2018-04-05 2018-05-15
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").
24 CVE-2018-1000137 352 CSRF 2018-03-23 2018-04-12
6.8
None Remote Medium Not required Partial Partial Partial
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge.
25 CVE-2018-1000119 200 +Info CSRF 2018-03-07 2018-07-27
4.3
None Remote Medium Not required Partial None None
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
26 CVE-2018-1000092 352 CSRF 2018-03-13 2018-04-10
6.8
None Remote Medium Not required Partial Partial Partial
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6.
27 CVE-2018-1000086 352 Exec Code CSRF 2018-03-13 2018-04-11
6.8
None Remote Medium Not required Partial Partial Partial
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.
28 CVE-2018-1000082 352 Exec Code CSRF 2018-03-13 2018-04-06
6.8
None Remote Medium Not required Partial Partial Partial
Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed..
29 CVE-2018-1000053 352 CSRF 2018-02-09 2018-03-08
6.8
None Remote Medium Not required Partial Partial Partial
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint.
30 CVE-2018-1000014 352 CSRF 2018-01-23 2018-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
31 CVE-2018-1000013 352 CSRF 2018-01-23 2018-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
32 CVE-2018-20728 352 CSRF 2019-01-16 2019-01-22
6.8
None Remote Medium Not required Partial Partial Partial
A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp3 allows remote attackers to escalate privileges via User-Management.php.
33 CVE-2018-20613 352 CSRF 2018-12-30 2019-01-10
6.8
None Remote Medium Not required Partial Partial Partial
TEMMOKU T1.09 Beta allows admin/user/add CSRF.
34 CVE-2018-20612 352 CSRF 2018-12-30 2019-01-16
6.8
None Remote Medium Not required Partial Partial Partial
UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSRF.
35 CVE-2018-20603 352 CSRF 2018-12-30 2019-01-10
6.8
None Remote Medium Not required Partial Partial Partial
Lei Feng TV CMS (aka LFCMS) 3.8.6 allows admin.php?s=/Member/add.html CSRF.
36 CVE-2018-20598 352 CSRF 2018-12-30 2019-01-04
6.8
None Remote Medium Not required Partial Partial Partial
UCMS 1.4.7 has ?do=user_addpost CSRF.
37 CVE-2018-20595 352 CSRF 2018-12-30 2019-01-14
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful.
38 CVE-2018-20577 352 CSRF 2018-12-28 2019-01-22
9.4
None Remote Low Not required None Complete Complete
Orange Livebox 00.96.320S devices allow cgi-bin/restore.exe, cgi-bin/firewall_SPI.exe, cgi-bin/setup_remote_mgmt.exe, cgi-bin/setup_pass.exe, and cgi-bin/upgradep.exe CSRF. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
39 CVE-2018-20576 352 CSRF 2018-12-28 2019-01-23
5.8
None Remote Medium Not required Partial Partial None
Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
40 CVE-2018-20419 352 CSRF 2018-12-23 2019-01-11
6.8
None Remote Medium Not required Partial Partial Partial
DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account.
41 CVE-2018-20231 CSRF 2018-12-19 2019-01-08
0.0
None ??? ??? ??? ??? ??? ???
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.
42 CVE-2018-20228 352 CSRF 2018-12-19 2019-01-24
6.0
None Remote Medium Single system Partial Partial Partial
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
43 CVE-2018-20188 352 CSRF 2018-12-17 2019-01-07
6.8
None Remote Medium Not required Partial Partial Partial
FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account.
44 CVE-2018-20015 352 CSRF 2018-12-10 2019-01-03
6.8
None Remote Medium Not required Partial Partial Partial
YzmCMS v5.2 has admin/role/add.html CSRF.
45 CVE-2018-19969 352 CSRF 2018-12-11 2018-12-31
6.8
None Remote Medium Not required Partial Partial Partial
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.
46 CVE-2018-19923 352 CSRF 2018-12-06 2019-01-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF.
47 CVE-2018-19911 Exec Code CSRF 2018-12-06 2018-12-06
0.0
None ??? ??? ??? ??? ??? ???
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
48 CVE-2018-19829 CSRF 2018-12-18 2018-12-20
0.0
None ??? ??? ??? ??? ??? ???
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
49 CVE-2018-19621 352 CSRF 2018-11-28 2018-12-26
4.3
None Remote Medium Not required None Partial None
server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team.
50 CVE-2018-19561 352 CSRF 2018-11-26 2018-12-18
6.8
None Remote Medium Not required Partial Partial Partial
sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account.
Total number of vulnerabilities : 2139   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.