Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-12114 | 1 Maccms | 1 Maccms | 2018-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts. | |||||
| CVE-2015-5996 | 1 Mediabridge | 2 Medialink Mwn-wapr300n, Medialink Mwn-wapr300n Firmware | 2018-07-28 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability on Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 allows remote attackers to hijack the authentication of arbitrary users. | |||||
| CVE-2018-12354 | 1 Knowage-suite | 1 Knowage | 2018-07-27 | 6.8 MEDIUM | 8.8 HIGH |
| Knowage (formerly SpagoBI) 6.1.1 allows CSRF via every form, as demonstrated by a /knowage/restful-services/2.0/analyticalDrivers/ POST request. | |||||
| CVE-2017-7635 | 1 Qnap | 1 Nas Proxy Server | 2018-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| QNAP NAS application Proxy Server through version 1.2.0 does not utilize CSRF protections. | |||||
| CVE-2018-11679 | 1 Cmseasy | 1 Cmseasy | 2018-07-09 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability that can add an article via /index.php?case=table&act=add&table=archive&admin_dir=admin. | |||||
| CVE-2018-11680 | 1 Cmseasy | 1 Cmseasy | 2018-07-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate. | |||||
| CVE-2018-11538 | 1 Searchblox | 1 Searchblox | 2018-07-03 | 6.8 MEDIUM | 8.8 HIGH |
| servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass. | |||||
| CVE-2018-11632 | 1 Multidots | 1 Add Social Share Messenger Buttons Whatsapp And Viber | 2018-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function. | |||||
| CVE-2018-11445 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role. | |||||
| CVE-2018-11442 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in EasyService Billing 1.0, which was triggered via a quotation-new3-new2.php?add=true&id= URI, as demonstrated by adding a new quotation. | |||||
| CVE-2018-11405 | 1 Kliqqi | 1 Kliqqi Cms | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| Kliqqi 2.0.2 has CSRF in admin/admin_users.php. | |||||
| CVE-2018-11371 | 1 Skycaiji | 1 Skycaiji | 2018-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| SkyCaiji 1.2 allows CSRF to add an Administrator user. | |||||
| CVE-2018-11633 | 1 Multidots | 1 Woo Checkout For Digital Goods | 2018-06-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities. | |||||
| CVE-2018-11500 | 1 Publiccms | 1 Publiccms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account. | |||||
| CVE-2018-11493 | 1 Wuzhicms | 1 Wuzhi Cms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a friendship link via index.php?m=link&f=index&v=add. | |||||
| CVE-2018-11527 | 1 Cscms Project | 1 Cscms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CScms v4.1. A Cross-site request forgery (CSRF) vulnerability in plugins/sys/admin/Sys.php allows remote attackers to change the administrator's username and password via /admin.php/sys/editpass_save. | |||||
| CVE-2018-11670 | 1 Njtech | 1 Greencms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect. | |||||
| CVE-2018-11671 | 1 Njtech | 1 Greencms | 2018-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle. | |||||
| CVE-2015-4364 | 1 Campaign Monitor Project | 1 Campaign Monitor | 2018-06-27 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site). | |||||
| CVE-2018-11092 | 1 Admin Notes Project | 1 Admin Notes | 2018-06-25 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action. | |||||