Total
8865 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-5475 | 1 S9y | 1 Serendipity | 2025-04-20 | N/A |
| comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments. | ||||
| CVE-2017-5476 | 1 S9y | 1 Serendipity | 2025-04-20 | N/A |
| Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin. | ||||
| CVE-2017-7620 | 1 Mantisbt | 1 Mantisbt | 2025-04-20 | N/A |
| MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI. | ||||
| CVE-2017-9413 | 1 Subsonic | 1 Subsonic | 2025-04-20 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks. | ||||
| CVE-2016-6897 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. | ||||
| CVE-2017-6086 | 1 Vimbadmin | 1 Vimbadmin | 2025-04-20 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, (2) remove an administrator user via a crafted GET request to <vimbadmin directory>/application/controllers/DomainController.php, (3) change an administrator password via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, (4) add a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, (5) delete a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, (6) archive a mailbox address via a crafted GET request to <vimbadmin directory>/application/controllers/ArchiveController.php, (7) add an alias address via a crafted POST request to <vimbadmin directory>/application/controllers/AliasController.php, or (8) remove an alias address via a crafted GET request to <vimbadmin directory>/application/controllers/AliasController.php. | ||||
| CVE-2017-6366 | 1 Netgear | 5 Dgn2200 Firmware, Dgn2200v1, Dgn2200v2 and 2 more | 2025-04-20 | N/A |
| Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely. | ||||
| CVE-2016-8369 | 1 Lynxspring | 1 Jenesys Bas Bridge | 2025-04-20 | N/A |
| An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request (CROSS-SITE REQUEST FORGERY). | ||||
| CVE-2016-5809 | 1 Schneider-electric | 6 Ion5000, Ion7300, Ion7500 and 3 more | 2025-04-20 | N/A |
| An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved. | ||||
| CVE-2017-5633 | 2 D-link, Dlink | 2 Di-524 Firmware, Di-524 | 2025-04-20 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs. | ||||
| CVE-2017-7404 | 1 Dlink | 1 Dir-615 | 2025-04-20 | 8.8 High |
| On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the Router's Web Interface visits a malicious site from another Browser tab, the malicious site then can send requests to the victim's Router without knowing the credentials (CSRF). An attacker can host a page that sends a POST request to Form2File.htm that tries to upload Firmware to victim's Router. This causes the router to reboot/crash resulting in Denial of Service. An attacker may succeed in uploading malicious Firmware. | ||||
| CVE-2017-9673 | 1 Simplece | 1 Simplece | 2025-04-20 | N/A |
| In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an administrator account (via the index.php/user/new URI) or change its settings (via the index.php/user/1 URI), including its password. | ||||
| CVE-2017-6379 | 1 Drupal | 1 Drupal | 2025-04-20 | N/A |
| Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. | ||||
| CVE-2017-8082 | 1 Concretecms | 1 Concrete Cms | 2025-04-20 | N/A |
| concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators. | ||||
| CVE-2017-7423 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2025-04-20 | N/A |
| A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in Micro Focus Enterprise Developer and Enterprise Server 2.3, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to forge requests, if this component is configured. This includes creating new privileged credentials, resulting in privilege elevation (CWE-275). Note esfadmingui is not enabled by default. | ||||
| CVE-2015-5607 | 2 Fedoraproject, Ipython | 2 Fedora, Ipython | 2025-04-20 | N/A |
| Cross-site request forgery in the REST API in IPython 2 and 3. | ||||
| CVE-2024-30617 | 1 Chamilo | 1 Chamilo Lms | 2025-04-18 | 5.4 Medium |
| A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowledge. | ||||
| CVE-2024-3756 | 1 Mf Gig Calendar Project | 1 Mf Gig Calendar | 2025-04-18 | 7.5 High |
| The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack | ||||
| CVE-2024-51156 | 1 07fly | 1 07flycms | 2025-04-18 | 4.7 Medium |
| 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component 'erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93'. | ||||
| CVE-2024-51157 | 2 07fly, Zero Takeoff | 2 07flycms, 07flycms | 2025-04-18 | 4.7 Medium |
| 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://erp.07fly.net:80/oa/OaSchedule/add.html. | ||||