Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19915 | 1 Webfactoryltd | 1 301 Redirects | 2020-08-24 | 6.0 MEDIUM | 9.0 CRITICAL |
| The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or greater access) to modify, delete, or inject redirect rules, and exploit XSS, with the /admin-ajax.php?action=eps_redirect_save and /admin-ajax.php?action=eps_redirect_delete actions. This could result in a loss of site availability, malicious redirects, and user infections. This could also be exploited via CSRF. | |||||
| CVE-2019-16068 | 1 Netsas | 1 Enigma Network Management Solution | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request. This can be triggered via XSS or an IFRAME tag included within the site. | |||||
| CVE-2019-19469 | 1 Zmanda | 1 Amanda | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials. | |||||
| CVE-2018-6357 | 1 Acurax | 1 Social Media Widget | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS. | |||||
| CVE-2018-19525 | 1 Systrome | 6 Cumilon Isg-600c, Cumilon Isg-600c Firmware, Cumilon Isg-600h and 3 more | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Systrome ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add and /ui/?g=obj_keywords_addsave with resultant XSS because of a lack of csrf token validation. | |||||
| CVE-2019-17432 | 1 Fastadmin | 1 Fastadmin | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/admin/general.config/edit CSRF vulnerability, as demonstrated by resultant XSS via the row[name] parameter. | |||||
| CVE-2019-8155 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. | |||||
| CVE-2019-19375 | 1 Octopus | 1 Octopus Deploy | 2020-08-24 | 4.3 MEDIUM | 5.3 MEDIUM |
| In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.) | |||||
| CVE-2018-15884 | 1 Ricoh | 2 Mp C4504ex, Mp C4504ex Firmware | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. | |||||
| CVE-2019-17642 | 1 Centreon | 1 Centreon | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04.2. It allows CSRF with resultant remote command execution via shell metacharacters in a POST to centreon-autodiscovery-server/views/scan/ajax/call.php in the Autodiscovery plugin. | |||||
| CVE-2019-11193 | 1 Infinitumit | 1 Directadmin | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel. | |||||
| CVE-2019-12361 | 1 Phome | 1 Empirecms | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php, as demonstrated by a CSRF payload that changes the dynamic page template. The attacker can choose to resend the e/template/member/regsend.php registered activation mail page. | |||||
| CVE-2018-19511 | 1 Ens | 1 Webgalamb | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| wg7.php in Webgalamb 7.0 lacks security measures to prevent CSRF attacks, as demonstrated by wg7.php?options=1 to change the administrator password. | |||||
| CVE-2019-14551 | 1 Daskeyboard | 4 Das Keyboard 4q, Das Keyboard 5q, Das Keyboard X50q and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers download and execution of code within a ZIP archive. | |||||
| CVE-2018-8979 | 1 Open-audit | 1 Open-audit | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI. | |||||
| CVE-2019-11590 | 1 10web | 1 Form Maker | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. | |||||
| CVE-2018-15677 | 1 Btiteam | 1 Xbtit | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The newsfeed (aka /index.php?page=viewnews) in BTITeam XBTIT 2.5.4 has stored XSS via the title of a news item. This is also exploitable via CSRF. | |||||
| CVE-2018-10806 | 1 Frogcms Project | 1 Frogcms | 2020-08-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross Site Scripting Vulnerability via the file[current_name] parameter to the admin/?/plugin/file_manager/rename URI. This can be used in conjunction with CSRF. | |||||
| CVE-2018-10554 | 1 Nagios | 1 Nagios Xi | 2020-08-24 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages function; (3) the ajaxhelper.php opts or background parameter; (4) the i[] array parameter to ajax_handler.php; or (5) the deploynotification.php title parameter. | |||||
| CVE-2019-14240 | 1 Wcms | 1 Wcms | 2020-08-24 | 5.8 MEDIUM | 8.1 HIGH |
| WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI. | |||||