CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2018(CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-1000669 352 CSRF 2018-09-06 2018-11-07
6.8
None Remote Medium Not required Partial Partial Partial
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.
2 CVE-2018-1000514 352 CSRF 2018-06-26 2018-08-20
4.3
None Remote Medium Not required None Partial None
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.
3 CVE-2018-1000510 284 DoS CSRF 2018-06-26 2018-08-21
4.0
None Remote Low Single system None None Partial
WP Image Zoom version 1.23 contains a Incorrect Access Control vulnerability in AJAX settings that can result in allows anybody to cause denial of service. This attack appear to be exploitable via Can be triggered intentionally (or unintentionally via CSRF) by any logged in user. This vulnerability appears to have been fixed in 1.24.
4 CVE-2018-1000507 352 CSRF 2018-06-26 2018-08-30
4.3
None Remote Medium Not required None Partial None
WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been fixed in 2.1.1.
5 CVE-2018-1000506 352 CSRF 2018-06-26 2018-08-30
6.8
None Remote Medium Not required Partial Partial Partial
Metronet Tag Manager version 1.2.7 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page /wp-admin/options-general.php?page=metronet-tag-manager that can result in allows anybody to do almost anything an admin can. This attack appear to be exploitable via Logged in user must follow a link. This vulnerability appears to have been fixed in 1.2.9.
6 CVE-2018-1000505 352 CSRF 2018-06-26 2018-08-30
4.3
None Remote Medium Not required None Partial None
Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been fixed in 5.1.
7 CVE-2018-1000206 352 CSRF 2018-07-13 2018-09-07
6.8
None Remote Medium Not required Partial Partial Partial
JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1.
8 CVE-2018-1000153 352 DoS CSRF 2018-04-05 2018-05-15
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection").
9 CVE-2018-1000137 352 CSRF 2018-03-23 2018-04-12
6.8
None Remote Medium Not required Partial Partial Partial
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge.
10 CVE-2018-1000119 200 +Info CSRF 2018-03-07 2018-07-27
4.3
None Remote Medium Not required Partial None None
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
11 CVE-2018-1000092 352 CSRF 2018-03-13 2018-04-10
6.8
None Remote Medium Not required Partial Partial Partial
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6.
12 CVE-2018-1000086 352 Exec Code CSRF 2018-03-13 2018-04-11
6.8
None Remote Medium Not required Partial Partial Partial
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.
13 CVE-2018-1000082 352 Exec Code CSRF 2018-03-13 2018-04-06
6.8
None Remote Medium Not required Partial Partial Partial
Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed..
14 CVE-2018-1000053 352 CSRF 2018-02-09 2018-03-08
6.8
None Remote Medium Not required Partial Partial Partial
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint.
15 CVE-2018-1000014 352 CSRF 2018-01-23 2018-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
16 CVE-2018-1000013 352 CSRF 2018-01-23 2018-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
17 CVE-2018-20015 CSRF 2018-12-10 2018-12-10
0.0
None ??? ??? ??? ??? ??? ???
YzmCMS v5.2 has admin/role/add.html CSRF.
18 CVE-2018-19969 CSRF 2018-12-11 2018-12-11
0.0
None ??? ??? ??? ??? ??? ???
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.
19 CVE-2018-19923 CSRF 2018-12-06 2018-12-06
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF.
20 CVE-2018-19911 Exec Code CSRF 2018-12-06 2018-12-06
0.0
None ??? ??? ??? ??? ??? ???
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
21 CVE-2018-19621 CSRF 2018-11-28 2018-11-28
0.0
None ??? ??? ??? ??? ??? ???
server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team.
22 CVE-2018-19561 CSRF 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account.
23 CVE-2018-19560 CSRF 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
BageCMS 3.1.3 has CSRF via upload/index.php?r=admini/admin/ownerUpdate to modify a user account.
24 CVE-2018-19555 CSRF 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
tp4a TELEPORT 3.1.0 has CSRF via user/do-reset-password to change any password, such as the administrator password.
25 CVE-2018-19546 XSS CSRF 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.
26 CVE-2018-19545 CSRF 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
JEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user.
27 CVE-2018-19544 CSRF 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
JEECMS 9.3 has CSRF via the api/admin/content/save URI to add news.
28 CVE-2018-19376 CSRF 2018-11-20 2018-11-20
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to delete a log file via the index.php?m=admin&c=data&a=clear URI.
29 CVE-2018-19335 +Info CSRF 2018-11-20 2018-11-20
0.0
None ??? ??? ??? ??? ??? ???
Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports.
30 CVE-2018-19334 +Info CSRF 2018-11-20 2018-11-20
0.0
None ??? ??? ??? ??? ??? ???
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports.
31 CVE-2018-19332 CSRF 2018-11-17 2018-11-17
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI.
32 CVE-2018-19327 CSRF 2018-11-17 2018-11-17
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in JTBC(PHP) 3.0.1.7. aboutus/manage.php?type=action&action=add allows CSRF.
33 CVE-2018-19319 CSRF 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges.
34 CVE-2018-19318 CSRF 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.
35 CVE-2018-19291 CSRF 2018-11-15 2018-11-15
0.0
None ??? ??? ??? ??? ??? ???
An issue discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI.
36 CVE-2018-19225 352 CSRF 2018-11-12 2018-12-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in LAOBANCMS 2.0. admin/mima.php has CSRF.
37 CVE-2018-19192 CSRF 2018-11-12 2018-11-12
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the data[content] parameter.
38 CVE-2018-19138 352 CSRF 2018-11-09 2018-12-11
6.8
None Remote Medium Not required Partial Partial Partial
WSTMart 2.0.7 has CSRF via the index.php/admin/staffs/add.html URI.
39 CVE-2018-19135 CSRF 2018-11-10 2018-11-15
0.0
None ??? ??? ??? ??? ??? ???
ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatically upload files (by default, it allows html, pdf, xml, zip, and many other file types). A file can be accessed publicly under the "/assets/files" directory.
40 CVE-2018-19104 352 CSRF 2018-11-08 2018-12-11
6.8
None Remote Medium Not required Partial Partial Partial
In BageCMS 3.1.3, upload/index.php has a CSRF vulnerability that can be used to upload arbitrary files and get server privileges.
41 CVE-2018-18935 352 CSRF 2018-11-05 2018-12-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.
42 CVE-2018-18934 434 Exec Code CSRF 2018-11-05 2018-12-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.
43 CVE-2018-18842 Exec Code CSRF 2018-10-30 2018-10-30
0.0
None ??? ??? ??? ??? ??? ???
CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code.
44 CVE-2018-18799 CSRF 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
45 CVE-2018-18797 CSRF 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php.
46 CVE-2018-18794 CSRF 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.
47 CVE-2018-18773 352 CSRF 2018-11-20 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
48 CVE-2018-18772 352 CSRF 2018-11-20 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
49 CVE-2018-18760 CSRF 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
RhinOS 3.0 build 1190 allows CSRF.
50 CVE-2018-18742 352 CSRF 2018-10-29 2018-11-14
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.php?Class=add&CF=user URI.
Total number of vulnerabilities : 437   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.