Total
7923 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-13563 | 1 Dlink | 2 Dir-655, Dir-655 Firmware | 2024-11-21 | 8.8 High |
| D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console. | ||||
| CVE-2019-13529 | 1 Sma | 2 Sunny Webbox, Sunny Webbox Firmware | 2024-11-21 | 8.8 High |
| An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation. | ||||
| CVE-2019-13516 | 1 Osisoft | 1 Pi Web Api | 2024-11-21 | 8.8 High |
| In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect. | ||||
| CVE-2019-13497 | 1 Oneidentity | 1 Cloud Access Manager | 2024-11-21 | 6.5 Medium |
| One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. | ||||
| CVE-2019-13477 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | N/A |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account. | ||||
| CVE-2019-13401 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2024-11-21 | N/A |
| Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/. | ||||
| CVE-2019-13395 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-11-21 | 8.8 High |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF against all /goform/ URIs. An attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. | ||||
| CVE-2019-13376 | 1 Phpbb | 1 Phpbb | 2024-11-21 | 6.5 Medium |
| phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS | ||||
| CVE-2019-13370 | 1 Ignitedcms | 1 Ignitedcms | 2024-11-21 | 8.8 High |
| index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. | ||||
| CVE-2019-13364 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 9.6 Critical |
| admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. | ||||
| CVE-2019-13363 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 9.6 Critical |
| admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF. | ||||
| CVE-2019-13199 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2024-11-21 | 6.5 Medium |
| Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | ||||
| CVE-2019-13183 | 1 Flarum | 1 Flarum | 2024-11-21 | N/A |
| Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. | ||||
| CVE-2019-13170 | 1 Xerox | 2 Phaser 3320, Phaser 3320 Firmware | 2024-11-21 | 6.5 Medium |
| Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | ||||
| CVE-2019-13071 | 1 Cyberpowersystems | 1 Powerpanel | 2024-11-21 | N/A |
| CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page. | ||||
| CVE-2019-13056 | 1 Cyberpanel | 1 Cyberpanel | 2024-11-21 | N/A |
| An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection. | ||||
| CVE-2019-12934 | 1 Wp-code-highlightjs Project | 1 Wp-code-highlightjs | 2024-11-21 | N/A |
| An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter. | ||||
| CVE-2019-12923 | 1 Mailenable | 1 Mailenable | 2024-11-21 | N/A |
| In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker. | ||||
| CVE-2019-12922 | 2 Fedoraproject, Phpmyadmin | 2 Fedora, Phpmyadmin | 2024-11-21 | 6.5 Medium |
| A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page. | ||||
| CVE-2019-12851 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A |
| A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852. | ||||