CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010112 352 CSRF 2019-07-18 2019-07-22
6.8
None Remote Medium Not required Partial Partial Partial
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed version is: v4.3.
2 CVE-2019-1010096 352 CSRF 2019-07-18 2019-07-18
6.8
None Remote Medium Not required Partial Partial Partial
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.
3 CVE-2019-1010095 352 CSRF 2019-07-18 2019-07-18
6.8
None Remote Medium Not required Partial Partial Partial
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: http://127.0.0.1/admin/users/add.php. The attack vector is: After the administrator logged in, open the html page.
4 CVE-2019-1010094 352 CSRF 2019-07-18 2019-07-18
6.8
None Remote Medium Not required Partial Partial Partial
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.
5 CVE-2019-1010054 352 CSRF 2019-07-18 2019-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
6 CVE-2019-1003098 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
7 CVE-2019-1003092 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
8 CVE-2019-1003090 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
9 CVE-2019-1003086 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
10 CVE-2019-1003084 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
11 CVE-2019-1003082 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
12 CVE-2019-1003080 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.
13 CVE-2019-1003078 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
14 CVE-2019-1003076 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
15 CVE-2019-1003058 352 CSRF 2019-04-04 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.
16 CVE-2019-1003046 352 CSRF 2019-03-28 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.
17 CVE-2019-1003044 352 CSRF 2019-03-28 2019-10-09
2.1
None Remote High Single system Partial None None
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
18 CVE-2019-1003012 352 Bypass CSRF 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None Partial None
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
19 CVE-2019-1003010 352 CSRF 2019-02-06 2019-04-26
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
20 CVE-2019-1003008 352 Exec Code CSRF 2019-02-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
21 CVE-2019-1003007 352 Exec Code CSRF 2019-02-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
22 CVE-2019-17613 Exec Code CSRF 2019-10-15 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter.
23 CVE-2019-17593 CSRF 2019-10-14 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
24 CVE-2019-17521 CSRF 2019-10-12 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Landing-CMS 0.0.6. There is a CSRF vulnerability that can change the admin's password via the password/ URI,
25 CVE-2019-17495 CSRF 2019-10-10 2019-10-11
0.0
None ??? ??? ??? ??? ??? ???
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
26 CVE-2019-17432 352 XSS CSRF 2019-10-10 2019-10-15
4.3
None Remote Medium Not required None Partial None
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/admin/general.config/edit CSRF vulnerability, as demonstrated by resultant XSS via the row&#91;name&#93; parameter.
27 CVE-2019-17431 352 CSRF 2019-10-10 2019-10-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability.
28 CVE-2019-17386 352 CSRF 2019-10-10 2019-10-15
6.8
None Remote Medium Not required Partial Partial Partial
The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php.
29 CVE-2019-17369 CSRF 2019-10-09 2019-10-09
0.0
None ??? ??? ??? ??? ??? ???
OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin.
30 CVE-2019-17217 352 CSRF 2019-10-06 2019-10-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. There is no CSRF protection established on the web service.
31 CVE-2019-16993 352 CSRF 2019-09-30 2019-10-07
6.8
None Remote Medium Not required Partial Partial Partial
In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.
32 CVE-2019-16721 352 CSRF 2019-09-23 2019-09-23
5.8
None Remote Medium Not required None Partial Partial
NoneCMS v1.3 has CSRF in public/index.php/admin/admin/dele.html, as demonstrated by deleting the admin user.
33 CVE-2019-16719 352 XSS CSRF 2019-09-23 2019-09-23
4.3
None Remote Medium Not required None Partial None
WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS.
34 CVE-2019-16706 352 CSRF 2019-09-23 2019-09-23
6.8
None Remote Medium Not required Partial Partial Partial
kkcms v1.3 has a CSRF vulnerablity that can add an user account via admin/cms_user_add.php.
35 CVE-2019-16678 352 DoS CSRF 2019-09-21 2019-09-23
4.3
None Remote Medium Not required None None Partial
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
36 CVE-2019-16677 352 CSRF 2019-09-21 2019-09-23
5.8
None Remote Medium Not required None Partial Partial
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
37 CVE-2019-16667 352 CSRF 2019-09-26 2019-09-27
6.8
None Remote Medium Not required Partial Partial Partial
diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.
38 CVE-2019-16660 352 CSRF 2019-09-21 2019-09-23
6.8
None Remote Medium Not required Partial Partial Partial
joyplus-cms 1.6.0 has admin_ajax.php?action=savexml&tab=vodplay CSRF.
39 CVE-2019-16659 352 CSRF 2019-09-21 2019-09-23
6.8
None Remote Medium Not required Partial Partial Partial
TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF.
40 CVE-2019-16658 352 CSRF 2019-09-21 2019-09-23
6.8
None Remote Medium Not required Partial Partial Partial
TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF.
41 CVE-2019-16531 352 CSRF 2019-09-19 2019-09-20
6.8
None Remote Medium Not required Partial Partial Partial
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
42 CVE-2019-16311 352 CSRF 2019-09-14 2019-09-16
6.8
None Remote Medium Not required Partial Partial Partial
NIUSHOP V1.11 has CSRF via search&#95;info to index.php.
43 CVE-2019-16187 200 +Info CSRF 2019-09-09 2019-09-10
5.0
None Remote Low Not required Partial None None
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
44 CVE-2019-16099 352 CSRF 2019-09-08 2019-09-09
6.8
None Remote Medium Not required Partial Partial Partial
Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows CSRF via JSON data to a .swf file.
45 CVE-2019-16059 352 CSRF 2019-09-06 2019-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.
46 CVE-2019-15868 352 CSRF 2019-09-03 2019-09-03
6.8
None Remote Medium Not required Partial Partial Partial
The affiliates-manager plugin before 2.6.6 for WordPress has CSRF.
47 CVE-2019-15865 352 CSRF 2019-09-03 2019-09-03
6.8
None Remote Medium Not required Partial Partial Partial
The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has CSRF.
48 CVE-2019-15841 352 CSRF 2019-08-30 2019-09-03
6.8
None Remote Medium Not required Partial Partial Partial
The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility.
49 CVE-2019-15840 352 CSRF 2019-08-30 2019-09-03
6.8
None Remote Medium Not required Partial Partial Partial
The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF.
50 CVE-2019-15835 352 CSRF 2019-08-30 2019-09-04
6.8
None Remote Medium Not required Partial Partial Partial
The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF.
Total number of vulnerabilities : 398   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.