Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-20576 1Orange 1Arv7519rw22 Livebox 2.1 Firmware Nov 21, 2024 Dec 28, 2018 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11....Show more Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.Show less
CVE-2018-18696 1Microstrategy 1Microstrategy Nov 21, 2024 Dec 28, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-N...Show more main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their website, so they were unable to evaluate the report or explain how this is something their customers view as a feature and not a security vulnerabilityShow less
CVE-2018-15334 1F5 1Big Ip Access Policy Manager Nov 21, 2024 Dec 28, 2018 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require re-authentication.
CVE-2018-19182 1Engelsystem 1Engelsystem Nov 21, 2024 Dec 26, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Engelsystem before commit hash 2e28336 allows CSRF.
CVE-2018-20419 1Douco 1Douphp Nov 21, 2024 Dec 24, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account.
CVE-2018-8892 1Blackberry 1Unified Endpoint Manager Jun 17, 2026 Dec 20, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in the Management Console of BlackBerry UEM versions earlier than 12.9.1 could allow an attacker to make modifications to the UEM settings in the context of a Management...Show more A cross-site request forgery (CSRF) vulnerability in the Management Console of BlackBerry UEM versions earlier than 12.9.1 could allow an attacker to make modifications to the UEM settings in the context of a Management Console administrator.Show less
CVE-2018-1000858 2Canonical Gnupg 2Gnupg Ubuntu Linux Nov 21, 2024 Dec 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim...Show more GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.Show less
CVE-2018-1000846 1Freshdns Project 1Freshdns Nov 21, 2024 Dec 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's pr...Show more FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later.Show less
CVE-2018-1000843 1Spotify 1Luigi Nov 21, 2024 Dec 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method...Show more Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability appears to have been fixed in 2.8.0 and later.Show less
CVE-2018-1661 1Ibm 1Datapower Gateway Nov 21, 2024 Dec 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. I...Show more IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 144887.Show less
CVE-2018-20231 1Simbahosting 1Two Factor Authentication Nov 21, 2024 Dec 19, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.
CVE-2018-20228 1Subsonic 1Subsonic Nov 21, 2024 Dec 19, 2018 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
CVE-2018-19829 1Artica 1Integria Ims Nov 21, 2024 Dec 18, 2018 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-18921 1Phpservermonitor 1Php Server Monitor Nov 21, 2024 Dec 18, 2018 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.
CVE-2018-20188 1Thedaylightstudio 1Fuel Cms Nov 21, 2024 Dec 17, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account.
CVE-2018-18246 1Icinga 1Icinga Web 2 Nov 21, 2024 Dec 17, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.
CVE-2018-1926 1Ibm 1Websphere Application Server Nov 21, 2024 Dec 12, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a re...Show more IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a remote attacker could send a specially-crafted request. An attacker could exploit this vulnerability to perform CSRF attack and update available applications. IBM X-Force ID: 152992.Show less
CVE-2018-19969 1Phpmyadmin 1Phpmyadmin Nov 21, 2024 Dec 11, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases,...Show more phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.Show less
CVE-2018-20015 1Yzmcms 1Yzmcms Nov 21, 2024 Dec 10, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 YzmCMS v5.2 has admin/role/add.html CSRF.
CVE-2018-19923 1Sales & Company Management System Project 1Sales & Company Management System Nov 21, 2024 Dec 6, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. There is member/member_email.php?action=edit CSRF.

Previous 1...367368369...466 Next