Total
7480 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-5473 | 1 Ntop | 1 Ntopng | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua. | |||||
| CVE-2017-5145 | 1 Carlosgavazzi | 4 Vmu-c Em, Vmu-c Em Firmware, Vmu-c Pv and 1 more | 2025-04-20 | 7.5 HIGH | 10.0 CRITICAL |
| An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. | |||||
| CVE-2017-16563 | 1 Grandstream | 2 Ht802, Ht802 Firmware | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update. | |||||
| CVE-2015-8255 | 1 Axis | 1 Axis Communications Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi. | |||||
| CVE-2017-9444 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | |||||
| CVE-2014-0120 | 2 Hawt, Redhat | 2 Hawtio, Jboss Fuse | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f." | |||||
| CVE-2017-12584 | 1 Slims | 1 Senayan Library Management System | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete account takeover, via the passwd1 and passwd2 fields in an admin/modules/system/app_user.php changecurrent=true operation. | |||||
| CVE-2017-11648 | 1 Techroutes | 2 Tr 1803-3g, Tr 1803-3g Firmware | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do not possess any protection against a CSRF vulnerability, as demonstrated by a goform/BasicSettings request to disable port filtering. | |||||
| CVE-2016-5809 | 1 Schneider-electric | 6 Ion5000, Ion7300, Ion7500 and 3 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved. | |||||
| CVE-2015-5081 | 1 Django-cms | 1 Django Cms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors. | |||||
| CVE-2017-7877 | 1 Flatcore | 1 Flatcore-cms | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations. | |||||
| CVE-2016-3691 | 1 Kallithea-scm | 1 Kallithea | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method. | |||||
| CVE-2017-11567 | 1 Cesanta | 1 Mongoose Embedded Web Server Library | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely. | |||||
| CVE-2017-17827 | 1 Piwigo | 1 Piwigo | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions. | |||||
| CVE-2017-14925 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site. | |||||
| CVE-2017-8848 | 1 Allen Disk Project | 1 Allen Disk | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password. | |||||
| CVE-2017-11876 | 1 Microsoft | 2 Project Server, Sharepoint Enterprise Server | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Microsoft Project Server and Microsoft SharePoint Enterprise Server 2016 allow an attacker to use cross-site forgery to read content that they are not authorized to read, use the victim's identity to take actions on the web application on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim, aka "Microsoft Project Server Elevation of Privilege Vulnerability". | |||||
| CVE-2017-17894 | 1 Basic Job Site Script Project | 1 Basic Job Site Script | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Readymade Job Site Script has CSRF via the /job URI. | |||||
| CVE-2017-1000091 | 1 Jenkins | 1 Github Branch Source | 2025-04-20 | 6.8 MEDIUM | 6.3 MEDIUM |
| GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery. | |||||
| CVE-2017-12703 | 1 Westermo | 8 Mrd-305-din, Mrd-305-din Firmware, Mrd-315-din and 5 more | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. | |||||