| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2015-8563 |
352 |
|
CSRF |
2015-12-16 |
2015-12-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
2 |
CVE-2015-8131 |
352 |
|
CSRF |
2015-12-07 |
2020-10-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
3 |
CVE-2015-8125 |
|
|
CSRF |
2015-12-07 |
2016-12-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component. |
|
4 |
CVE-2015-7984 |
352 |
|
Exec Code CSRF |
2015-11-19 |
2021-05-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php. |
|
5 |
CVE-2015-7936 |
352 |
|
CSRF |
2015-12-23 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Motorola Solutions MOSCAD IP Gateway allows remote attackers to hijack the authentication of administrators for requests that modify a password. |
|
6 |
CVE-2015-7925 |
352 |
|
CSRF |
2015-12-23 |
2016-12-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to hijack the authentication of administrators for requests that trigger firmware upload, removal of configuration data, or a reboot. |
|
7 |
CVE-2015-7612 |
352 |
|
CSRF |
2015-10-01 |
2015-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Organizations page in Enterprise Manager in McAfee Vulnerability Manager (MVM) 7.5.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that have unspecified impact via unknown vectors. |
|
8 |
CVE-2015-7366 |
352 |
|
DoS CSRF |
2015-10-14 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the authentication of users for requests that (1) perform certain plugin actions and possibly cause a denial of service (disabled core plugins) via unknown vectors or (2) change the contact name and language or possibly have unspecified other impact via a crafted POST request to an account-user-*.php script. |
|
9 |
CVE-2015-7364 |
352 |
|
Bypass CSRF |
2015-10-14 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The HTML_Quickform library, as used in Revive Adserver before 3.2.2, allows remote attackers to bypass the CSRF protection mechanism via an empty token. |
|
10 |
CVE-2015-7291 |
352 |
|
CSRF |
2015-11-21 |
2015-11-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in adv_pwd_cgi in the web management interface on Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 allows remote attackers to hijack the authentication of arbitrary users. |
|
11 |
CVE-2015-7284 |
352 |
|
CSRF |
2015-12-31 |
2016-12-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 allows remote attackers to hijack the authentication of arbitrary users. |
|
12 |
CVE-2015-7281 |
352 |
|
CSRF |
2015-12-31 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on ReadyNet WRT300N-DD devices with firmware 1.0.26 allows remote attackers to hijack the authentication of arbitrary users. |
|
13 |
CVE-2015-7278 |
352 |
|
CSRF |
2015-12-31 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on Amped Wireless R10000 devices with firmware 2.5.2.11 allows remote attackers to hijack the authentication of arbitrary users. |
|
14 |
CVE-2015-7233 |
352 |
|
CSRF |
2015-09-17 |
2015-09-18 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors. |
|
15 |
CVE-2015-6973 |
352 |
|
CSRF |
2015-09-16 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp. |
|
16 |
CVE-2015-6966 |
352 |
|
XSS CSRF |
2015-09-16 |
2015-09-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Nibbleblog before 4.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) create a post via a new_simple action to admin.php or (2) conduct cross-site scripting (XSS) attacks via the content parameter in a new_simple action to admin.php. |
|
17 |
CVE-2015-6965 |
352 |
|
XSS CSRF |
2015-09-16 |
2015-09-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4) create a form, (5) update a form, (6) delete a form, (7) create a template, (8) update a template, (9) delete a template, or (10) conduct cross-site scripting (XSS) attacks via a crafted request to the cfg_forms page in wp-admin/admin.php. |
|
18 |
CVE-2015-6944 |
352 |
|
Exec Code CSRF |
2015-09-15 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in JSP/MySQL Administrador Web 1 allows remote attackers to hijack the authentication of users for requests that execute arbitrary SQL commands via the cmd parameter to sys/sys/listaBD2.jsp. |
|
19 |
CVE-2015-6938 |
79 |
|
XSS CSRF |
2015-09-21 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate. |
|
20 |
CVE-2015-6827 |
352 |
|
CSRF |
2015-09-11 |
2016-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php. |
|
21 |
CVE-2015-6728 |
352 |
|
Bypass CSRF |
2015-09-01 |
2016-12-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack. |
|
22 |
CVE-2015-6660 |
352 |
|
CSRF |
2015-08-24 |
2016-12-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks." |
|
23 |
CVE-2015-6655 |
352 |
|
CSRF |
2015-08-31 |
2016-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via a request to admin/admin_users.php. |
|
24 |
CVE-2015-6545 |
352 |
|
CSRF |
2015-09-03 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action. |
|
25 |
CVE-2015-6523 |
352 |
|
CSRF |
2015-08-19 |
2016-12-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Portfolio plugin before 1.05 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the instagram-portfolio page in wp-admin/options-general.php. |
|
26 |
CVE-2015-6517 |
352 |
|
CSRF |
2015-08-18 |
2019-03-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 allows remote attackers to hijack the authentication of users for requests that drop database tables via the droptable parameter to phpliteadmin.php. |
|
27 |
CVE-2015-6493 |
352 |
|
CSRF |
2015-10-28 |
2015-10-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. |
|
28 |
CVE-2015-6468 |
352 |
|
CSRF |
2015-09-26 |
2015-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Resource Data Management Data Manager before 2.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
29 |
CVE-2015-6408 |
352 |
|
CSRF |
2015-12-12 |
2016-12-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connection 11.5(0.98) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux24578. |
|
30 |
CVE-2015-6405 |
352 |
|
CSRF |
2015-12-13 |
2016-12-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco Emergency Responder 10.5(1) and 10.5(1a) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv26501. |
|
31 |
CVE-2015-6378 |
352 |
|
CSRF |
2015-12-14 |
2017-09-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on Cisco DPQ3925 devices with EDVA 5.5.2 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv05943. |
|
32 |
CVE-2015-6376 |
352 |
|
CSRF |
2015-11-21 |
2015-11-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence Video Communication Server (VCS) X8.5.1 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv72412. |
|
33 |
CVE-2015-6373 |
352 |
|
CSRF |
2015-11-18 |
2015-11-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux10611. |
|
34 |
CVE-2015-6330 |
352 |
|
CSRF |
2015-11-18 |
2015-11-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco Prime Collaboration Assurance 10.5(1) and 10.6 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus62712. |
|
35 |
CVE-2015-6304 |
352 |
|
CSRF |
2015-09-24 |
2016-12-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence Server software 3.0(2.24) allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCut63718, CSCut63724, and CSCut63760. |
|
36 |
CVE-2015-6262 |
352 |
|
CSRF |
2015-08-25 |
2019-07-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Cisco Prime Infrastructure 1.2(0.103) and 2.0(0.0) allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCum49054 and CSCum49059. |
|
37 |
CVE-2015-6007 |
352 |
|
CSRF |
2015-09-28 |
2015-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to hijack the authentication of arbitrary users. |
|
38 |
CVE-2015-5999 |
352 |
|
CSRF |
2015-11-18 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network policy, or (3) possibly have other unspecified impact via crafted requests to hedwig.cgi and pigwidgeon.cgi. |
|
39 |
CVE-2015-5996 |
352 |
|
CSRF |
2015-12-31 |
2018-07-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 allows remote attackers to hijack the authentication of arbitrary users. |
|
40 |
CVE-2015-5991 |
352 |
|
CSRF |
2015-09-21 |
2015-09-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in form2WlanSetup.cgi on Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN devices with firmware GAN9.8U26-4-TX-R6B018-PH.EN and Kasda KW58293 devices allows remote attackers to hijack the authentication of administrators for requests that perform setup operations, as demonstrated by modifying network settings. |
|
41 |
CVE-2015-5990 |
352 |
|
CSRF |
2015-12-31 |
2015-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 devices with firmware 2.10.17 allows remote attackers to hijack the authentication of arbitrary users. |
|
42 |
CVE-2015-5731 |
352 |
|
DoS CSRF |
2015-11-09 |
2017-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. |
|
43 |
CVE-2015-5698 |
352 |
|
CSRF |
2015-08-30 |
2016-12-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
44 |
CVE-2015-5665 |
352 |
|
CSRF |
2015-10-27 |
2015-10-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.3 allows remote attackers to hijack the authentication of arbitrary users for requests that write to PHP scripts, related to the doValidToken function. |
|
45 |
CVE-2015-5660 |
352 |
|
Exec Code CSRF |
2015-10-16 |
2015-10-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code. |
|
46 |
CVE-2015-5631 |
352 |
|
CSRF |
2015-09-11 |
2015-09-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Remote UI on Canon PIXMA MG7500 printers allows remote attackers to hijack the authentication of administrators. |
|
47 |
CVE-2015-5571 |
352 |
|
+Info CSRF |
2015-09-22 |
2017-02-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671 and CVE-2014-5333. |
|
48 |
CVE-2015-5534 |
352 |
|
XSS CSRF |
2015-11-02 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2) conduct cross-site scripting (XSS) attacks via the maintenance_text parameter to admin/pages/maintenance. |
|
49 |
CVE-2015-5530 |
352 |
|
CSRF |
2015-07-16 |
2015-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/create/. |
|
50 |
CVE-2015-5508 |
352 |
|
CSRF |
2015-08-18 |
2016-11-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the "administer ncip providers" permission for requests that alter NCIP providers via a crafted request. |
