Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-19886 | 1 Dbhcms Project | 1 Dbhcms | 2020-08-25 | 4.3 MEDIUM | 8.1 HIGH |
| DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu. | |||||
| CVE-2018-19511 | 1 Ens | 1 Webgalamb | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| wg7.php in Webgalamb 7.0 lacks security measures to prevent CSRF attacks, as demonstrated by wg7.php?options=1 to change the administrator password. | |||||
| CVE-2018-19546 | 1 Jtbc | 1 Jtbc Php | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter. | |||||
| CVE-2018-19335 | 1 Google | 1 Monorail | 2020-08-24 | 2.6 LOW | 5.3 MEDIUM |
| Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports. | |||||
| CVE-2018-19911 | 1 Freeswitch | 1 Freeswitch | 2020-08-24 | 7.6 HIGH | 7.5 HIGH |
| FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. | |||||
| CVE-2018-11501 | 1 Website Seller Script Project | 1 Website Seller Script | 2020-08-24 | 6.0 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS. | |||||
| CVE-2018-7305 | 1 Mybb | 1 Mybb | 2020-08-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | |||||
| CVE-2018-10803 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. | |||||
| CVE-2019-19469 | 1 Zmanda | 1 Amanda | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials. | |||||
| CVE-2019-19375 | 1 Octopus | 1 Octopus Deploy | 2020-08-24 | 4.3 MEDIUM | 5.3 MEDIUM |
| In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.) | |||||
| CVE-2019-15648 | 1 Elearningfreak | 1 Insert Or Embed Articulate Content | 2020-08-24 | 5.5 MEDIUM | 6.5 MEDIUM |
| The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber. | |||||
| CVE-2019-13376 | 1 Phpbb | 1 Phpbb | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS | |||||
| CVE-2019-19979 | 1 Wp Maintenance Project | 1 Wp Maintenance | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. There was CSRF with resultant XSS. | |||||
| CVE-2019-16719 | 1 Wtcms Project | 1 Wtcms | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS. | |||||
| CVE-2018-9281 | 1 Eaton | 2 9px Ups, 9px Ups Firmware | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently. | |||||
| CVE-2018-10554 | 1 Nagios | 1 Nagios Xi | 2020-08-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. | |||||
| CVE-2019-11193 | 1 Infinitumit | 1 Directadmin | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel. | |||||
| CVE-2018-15884 | 1 Ricoh | 2 Mp C4504ex, Mp C4504ex Firmware | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. | |||||
| CVE-2019-17642 | 1 Centreon | 1 Centreon | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04.2. It allows CSRF with resultant remote command execution via shell metacharacters in a POST to centreon-autodiscovery-server/views/scan/ajax/call.php in the Autodiscovery plugin. | |||||
| CVE-2019-16068 | 1 Netsas | 1 Enigma Network Management Solution | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request. This can be triggered via XSS or an IFRAME tag included within the site. | |||||