Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17118 | 1 Wikidsystems | 1 2fa Enterprise Server | 2019-10-22 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows a remote attacker to trick an authenticated user into performing unintended actions such as (1) create or delete admin users; (2) create or delete groups; or (3) create, delete, enable, or disable normal users or devices. | |||||
| CVE-2019-17367 | 1 Openwrt | 1 Openwrt | 2019-10-22 | 6.8 MEDIUM | 8.8 HIGH |
| OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/. | |||||
| CVE-2019-17676 | 1 Metinfo | 1 Metinfo | 2019-10-21 | 6.8 MEDIUM | 8.8 HIGH |
| app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI. | |||||
| CVE-2019-17521 | 1 Landing-cms Project | 1 Landing-cms | 2019-10-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Landing-CMS 0.0.6. There is a CSRF vulnerability that can change the admin's password via the password/ URI, | |||||
| CVE-2017-14683 | 1 Geminabox Project | 1 Geminabox | 2019-10-17 | 6.8 MEDIUM | 8.8 HIGH |
| geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload. | |||||
| CVE-2019-17593 | 1 Jizhicms | 1 Jizhicms | 2019-10-16 | 6.8 MEDIUM | 8.8 HIGH |
| JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator. | |||||
| CVE-2019-17369 | 1 Otcms | 1 Otcms | 2019-10-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin. | |||||
| CVE-2019-11077 | 1 Fastadmin | 1 Fastadmin | 2019-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new admin user via the admin/auth/admin/add?dialog=1 URI. | |||||
| CVE-2019-13529 | 1 Sma | 2 Sunny Webbox, Sunny Webbox Firmware | 2019-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation. | |||||
| CVE-2019-17386 | 1 Eleopard | 1 Animate It\! | 2019-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php. | |||||
| CVE-2019-17431 | 1 Fastadmin | 1 Fastadmin | 2019-10-11 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability. | |||||
| CVE-2015-9455 | 1 Incsub | 1 Buddypress-activity-plus | 2019-10-10 | 7.8 HIGH | 8.1 HIGH |
| The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action. | |||||
| CVE-2019-17217 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2019-10-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. There is no CSRF protection established on the web service. | |||||
| CVE-2019-9883 | 1 Hgiga | 8 Msr35 Isherlock-base, Msr35 Isherlock-sysinfo, Msr35 Isherlock-user and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to elevate privilege of specific account via useradmin/cf_new.cgi?chief=&wk_group=full&cf_name=test&cf_account=test&cf_email=&cf_acl=Management&apply_lang=&dn= without any authorizes. | |||||
| CVE-2019-9882 | 1 Hgiga | 8 Msr35 Isherlock-base, Msr35 Isherlock-sysinfo, Msr35 Isherlock-user and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&new=hacker@socialengineering.com&new_memo=&add=%E6%96%B0%E5%A2%9E without any authorizes. | |||||
| CVE-2019-5630 | 1 Rapid7 | 1 Nexpose | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request. | |||||
| CVE-2019-5430 | 1 Ui | 1 Unifi Video | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page. | |||||
| CVE-2019-3410 | 1 Zte | 2 Wf820\+ Lte Outdoor Cpe, Wf820\+ Lte Outdoor Cpe Firmware | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by Cross-Site Request Forgery vulnerability,which stems from the fact that WEB applications do not adequately verify whether requests come from trusted users. An attacker can exploit this vulnerability to send unexpected requests to the server through the affected client. | |||||
| CVE-2019-1881 | 1 Cisco | 1 Industrial Network Director | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. | |||||
| CVE-2019-1764 | 1 Cisco | 8 Ip Conference Phone 8832, Ip Conference Phone 8832 Firmware, Ip Phone 8800 and 5 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. This vulnerability affects Cisco IP Phone 8800 Series products running a SIP Software release prior to 11.0(5) for Wireless IP Phone 8821 and 8821-EX; and 12.5(1)SR1 for the IP Conference Phone 8832 and the rest of the IP Phone 8800 Series. Cisco IP Conference Phone 8831 is not affected. | |||||