Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19469 | 1 Zmanda | 1 Amanda | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials. | |||||
| CVE-2018-10803 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. | |||||
| CVE-2019-14228 | 1 Angry-frog | 1 Xavier | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username will reflect via the error page. Due to the lack of CSRF protection on the admin/includes/adminprocess.php endpoint, an attacker is able to chain the XSS with CSRF in order to cause remote exploitation. | |||||
| CVE-2019-8155 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. | |||||
| CVE-2019-16719 | 1 Wtcms Project | 1 Wtcms | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with resultant XSS. | |||||
| CVE-2018-15677 | 1 Btiteam | 1 Xbtit | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The newsfeed (aka /index.php?page=viewnews) in BTITeam XBTIT 2.5.4 has stored XSS via the title of a news item. This is also exploitable via CSRF. | |||||
| CVE-2018-10554 | 1 Nagios | 1 Nagios Xi | 2020-08-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. | |||||
| CVE-2019-12095 | 1 Horde | 1 Groupware | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload. | |||||
| CVE-2019-14240 | 1 Wcms | 1 Wcms | 2020-08-24 | 5.8 MEDIUM | 8.1 HIGH |
| WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI. | |||||
| CVE-2018-15884 | 1 Ricoh | 2 Mp C4504ex, Mp C4504ex Firmware | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. | |||||
| CVE-2018-1432 | 1 Ibm | 1 Infosphere Information Server | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. IBM X-Force ID: 139360. | |||||
| CVE-2018-7305 | 1 Mybb | 1 Mybb | 2020-08-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | |||||
| CVE-2019-12361 | 1 Phome | 1 Empirecms | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php, as demonstrated by a CSRF payload that changes the dynamic page template. The attacker can choose to resend the e/template/member/regsend.php registered activation mail page. | |||||
| CVE-2018-6940 | 1 Nat32 | 1 Nat32 | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF. | |||||
| CVE-2019-11590 | 1 10web | 1 Form Maker | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. | |||||
| CVE-2018-7831 | 1 Schneider-electric | 8 Modicom Bmxnor0200h, Modicom Bmxnor0200h Firmware, Modicom M340 and 5 more | 2020-08-24 | 4.3 MEDIUM | 8.8 HIGH |
| An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to send a specially crafted URL to a currently authenticated web server user to execute a password change on the web server. | |||||
| CVE-2018-7724 | 1 Piwigo | 1 Piwigo | 2020-08-24 | 3.5 LOW | 5.4 MEDIUM |
| The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible. | |||||
| CVE-2018-9281 | 1 Eaton | 2 9px Ups, 9px Ups Firmware | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently. | |||||
| CVE-2018-8979 | 1 Open-audit | 1 Open-audit | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI. | |||||
| CVE-2019-7402 | 1 Phpmywind | 1 Phpmywind | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF. | |||||