Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-7067 | 1 Mmonit | 1 Monit | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| Monit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a specific service. | |||||
| CVE-2016-6557 | 1 Asus | 14 Ea-n66, Ea-n66 Firmware, Rp-ac52 and 11 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. | |||||
| CVE-2016-1261 | 1 Juniper | 1 Junos | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| J-Web does not validate certain input that may lead to cross-site request forgery (CSRF) issues or cause a denial of J-Web service (DoS). | |||||
| CVE-2016-1265 | 1 Juniper | 1 Junos Space | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery (CSRF), default authentication credentials, information leak and command injection attack vectors. All versions of Juniper Networks Junos Space prior to 15.1R3 are affected. | |||||
| CVE-2016-10529 | 1 Droppy Project | 1 Droppy | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others. | |||||
| CVE-2016-10522 | 1 Rails Admin Project | 1 Rails Admin | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem. | |||||
| CVE-2015-4010 | 1 Everybit | 1 Encrypted Contact Form | 2019-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the iframe_url parameter in an Update Page action in the conformconf page to wp-admin/options-general.php. | |||||
| CVE-2014-2641 | 1 Hp | 1 System Management Homepage | 2019-10-09 | 6.0 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2014-0594 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent. | |||||
| CVE-2013-6202 | 1 Hp | 1 Service Manager | 2019-10-09 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in HP Service Manager 9.30, 9.31, 9.32, and 9.33 allow remote attackers to hijack the authentication of unspecified victims for requests that (1) insert XSS sequences or (2) execute arbitrary code. | |||||
| CVE-2013-6188 | 1 Hp | 1 System Management Homepage | 2019-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) 7.1 through 7.2.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2012-5216 | 1 Hp | 3 Procurve Switch 1700-24, Procurve Switch 1700-8, Procurve Switch Software | 2019-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability on HP ProCurve 1700-8 (aka J9079A) switches with software before VA.02.09 and 1700-24 (aka J9080A) switches with software before VB.02.09 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2010-1971 | 2 Hp, Microsoft | 2 Insight Software Installer, Windows | 2019-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1968. | |||||
| CVE-2010-1968 | 2 Hp, Microsoft | 2 Insight Software Installer, Windows | 2019-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1971. | |||||
| CVE-2010-1037 | 1 Hp | 1 Systems Insight Manager | 2019-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2018-10233 | 1 Ultimatemember | 1 User Profile \& Membership | 2019-10-05 | 6.8 MEDIUM | 8.8 HIGH |
| The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin. | |||||
| CVE-2019-15040 | 1 Jetbrains | 1 Youtrack | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page. | |||||
| CVE-2017-9810 | 1 Kaspersky | 1 Anti-virus For Linux Server | 2019-10-02 | 6.8 MEDIUM | 8.8 HIGH |
| There are no Anti-CSRF tokens in any forms on the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. | |||||
| CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-10-02 | 5.0 MEDIUM | 8.6 HIGH |
| In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | |||||
| CVE-2017-6080 | 1 Zammad | 1 Zammad | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie and receive the result. | |||||