| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1000858 |
352 |
|
CSRF |
2018-12-20 |
2019-02-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. |
|
2 |
CVE-2018-1000846 |
352 |
|
CSRF |
2018-12-20 |
2019-01-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later. |
|
3 |
CVE-2018-1000843 |
352 |
|
CSRF |
2018-12-20 |
2019-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later. |
|
4 |
CVE-2018-1000669 |
352 |
|
CSRF |
2018-09-06 |
2018-11-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11. |
|
5 |
CVE-2018-1000514 |
352 |
|
CSRF |
2018-06-26 |
2018-08-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. |
|
6 |
CVE-2018-1000510 |
732 |
|
DoS CSRF |
2018-06-26 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
WP Image Zoom version 1.23 contains a Incorrect Access Control vulnerability in AJAX settings that can result in allows anybody to cause denial of service. This attack appear to be exploitable via Can be triggered intentionally (or unintentionally via CSRF) by any logged in user. This vulnerability appears to have been fixed in 1.24. |
|
7 |
CVE-2018-1000507 |
352 |
|
CSRF |
2018-06-26 |
2018-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been fixed in 2.1.1. |
|
8 |
CVE-2018-1000506 |
352 |
|
CSRF |
2018-06-26 |
2018-08-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Metronet Tag Manager version 1.2.7 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page /wp-admin/options-general.php?page=metronet-tag-manager that can result in allows anybody to do almost anything an admin can. This attack appear to be exploitable via Logged in user must follow a link. This vulnerability appears to have been fixed in 1.2.9. |
|
9 |
CVE-2018-1000505 |
352 |
|
CSRF |
2018-06-26 |
2018-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been fixed in 5.1. |
|
10 |
CVE-2018-1000206 |
352 |
|
CSRF |
2018-07-13 |
2019-06-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1. |
|
11 |
CVE-2018-1000153 |
352 |
|
DoS CSRF |
2018-04-05 |
2018-05-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). |
|
12 |
CVE-2018-1000137 |
352 |
|
CSRF |
2018-03-23 |
2018-04-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. |
|
13 |
CVE-2018-1000119 |
203 |
|
CSRF |
2018-03-07 |
2020-08-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0. |
|
14 |
CVE-2018-1000092 |
352 |
|
CSRF |
2018-03-13 |
2018-04-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6. |
|
15 |
CVE-2018-1000086 |
352 |
|
Exec Code CSRF |
2018-03-13 |
2019-09-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later. |
|
16 |
CVE-2018-1000082 |
352 |
|
Exec Code CSRF |
2018-03-13 |
2018-04-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed.. |
|
17 |
CVE-2018-1000053 |
352 |
|
CSRF |
2018-02-09 |
2018-03-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. |
|
18 |
CVE-2018-1000014 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. |
|
19 |
CVE-2018-1000013 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. |
|
20 |
CVE-2018-20613 |
352 |
|
CSRF |
2018-12-30 |
2019-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
TEMMOKU T1.09 Beta allows admin/user/add CSRF. |
|
21 |
CVE-2018-20612 |
352 |
|
CSRF |
2018-12-30 |
2019-01-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSRF. |
|
22 |
CVE-2018-20603 |
352 |
|
CSRF |
2018-12-30 |
2019-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Lei Feng TV CMS (aka LFCMS) 3.8.6 allows admin.php?s=/Member/add.html CSRF. |
|
23 |
CVE-2018-20598 |
352 |
|
CSRF |
2018-12-30 |
2019-01-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
UCMS 1.4.7 has ?do=user_addpost CSRF. |
|
24 |
CVE-2018-20595 |
352 |
|
CSRF |
2018-12-30 |
2019-01-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. |
|
25 |
CVE-2018-20577 |
352 |
|
CSRF |
2018-12-28 |
2019-01-22 |
9.4 |
None |
Remote |
Low |
Not required |
None |
Complete |
Complete |
|
Orange Livebox 00.96.320S devices allow cgi-bin/restore.exe, cgi-bin/firewall_SPI.exe, cgi-bin/setup_remote_mgmt.exe, cgi-bin/setup_pass.exe, and cgi-bin/upgradep.exe CSRF. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. |
|
26 |
CVE-2018-20576 |
352 |
|
CSRF |
2018-12-28 |
2019-01-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. |
|
27 |
CVE-2018-20419 |
352 |
|
CSRF |
2018-12-24 |
2019-01-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account. |
|
28 |
CVE-2018-20231 |
352 |
|
CSRF |
2018-12-19 |
2019-03-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation. |
|
29 |
CVE-2018-20228 |
352 |
|
CSRF |
2018-12-19 |
2019-01-24 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. |
|
30 |
CVE-2018-20188 |
352 |
|
CSRF |
2018-12-17 |
2019-01-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. |
|
31 |
CVE-2018-20015 |
352 |
|
CSRF |
2018-12-10 |
2019-01-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
YzmCMS v5.2 has admin/role/add.html CSRF. |
|
32 |
CVE-2018-19969 |
352 |
|
CSRF |
2018-12-11 |
2019-04-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. |
|
33 |
CVE-2018-19923 |
352 |
|
CSRF |
2018-12-06 |
2019-01-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF. |
|
34 |
CVE-2018-19911 |
352 |
|
Exec Code CSRF |
2018-12-06 |
2020-08-24 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. |
|
35 |
CVE-2018-19829 |
352 |
|
CSRF |
2018-12-18 |
2019-01-30 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known. |
|
36 |
CVE-2018-19621 |
352 |
|
CSRF |
2018-11-28 |
2018-12-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team. |
|
37 |
CVE-2018-19561 |
352 |
|
CSRF |
2018-11-26 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to add an administrator account. |
|
38 |
CVE-2018-19560 |
352 |
|
CSRF |
2018-11-26 |
2018-12-31 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
BageCMS 3.1.3 has CSRF via upload/index.php?r=admini/admin/ownerUpdate to modify a user account. |
|
39 |
CVE-2018-19555 |
352 |
|
CSRF |
2018-11-26 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
tp4a TELEPORT 3.1.0 has CSRF via user/do-reset-password to change any password, such as the administrator password. |
|
40 |
CVE-2018-19546 |
352 |
|
XSS CSRF |
2018-11-26 |
2020-08-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter. |
|
41 |
CVE-2018-19545 |
352 |
|
CSRF |
2018-11-26 |
2018-12-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
JEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user. |
|
42 |
CVE-2018-19544 |
352 |
|
CSRF |
2018-11-26 |
2018-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
JEECMS 9.3 has CSRF via the api/admin/content/save URI to add news. |
|
43 |
CVE-2018-19376 |
352 |
|
CSRF |
2018-11-20 |
2018-12-18 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to delete a log file via the index.php?m=admin&c=data&a=clear URI. |
|
44 |
CVE-2018-19335 |
352 |
|
+Info CSRF |
2018-11-20 |
2020-08-24 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports. |
|
45 |
CVE-2018-19334 |
352 |
|
+Info CSRF |
2018-11-20 |
2018-12-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports. |
|
46 |
CVE-2018-19332 |
352 |
|
CSRF |
2018-11-17 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI. |
|
47 |
CVE-2018-19327 |
352 |
|
CSRF |
2018-11-17 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in JTBC(PHP) 3.0.1.7. aboutus/manage.php?type=action&action=add allows CSRF. |
|
48 |
CVE-2018-19319 |
352 |
|
CSRF |
2018-11-16 |
2018-12-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges. |
|
49 |
CVE-2018-19318 |
352 |
|
CSRF |
2018-11-16 |
2018-12-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account. |
|
50 |
CVE-2018-19291 |
352 |
|
CSRF |
2018-11-15 |
2019-04-16 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerability that can delete a user or group via an admin/index.php/user/del/1 or admin/index.php/role/del/2 URI. |
