Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-15702 1Tp Link 1Tl Wrn841n Firmware Nov 21, 2024 Oct 1, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to CSRF due to insufficient validation of the referer field.
CVE-2018-17826 1Hisiphp 1Hisiphp Nov 21, 2024 Oct 1, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add ....Show more HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types (.jpg, .png, .gif, .jpeg, and .ico).Show less
CVE-2018-17081 1E107 1E107 Nov 21, 2024 Sep 26, 2018 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.
CVE-2017-15608 1Inedo 1Proget Nov 21, 2024 Sep 26, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change advanced settings.
CVE-2018-8844 1Philips 1E Alert Firmware Jun 17, 2026 Sep 26, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who...Show more Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Show less
CVE-2018-17366 2Mcms Project Mingsoft 2Mcms Mcms Feb 19, 2026 Sep 23, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
CVE-2018-15612 1Avaya 1Orchestration Designer Nov 21, 2024 Sep 21, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer...Show more A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.Show less
CVE-2018-6504 1Microfocus 1Arcsight Management Center Jun 17, 2026 Sep 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request F...Show more A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).Show less
CVE-2018-13398 1Atlassian 2Crucible Fisheye Nov 21, 2024 Sep 18, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2018-16952 1Oracle 1Webcenter Interaction Nov 21, 2024 Sep 18, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NO...Show more The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.Show less
CVE-2018-17104 1Microweber 1Microweber Nov 21, 2024 Sep 16, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.
CVE-2018-17103 1Get Simple 1Getsimple Cms Nov 21, 2024 Sep 16, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonc...Show more An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameterShow less
CVE-2018-17102 1Quickappscms 1Quickapps Cms Nov 21, 2024 Sep 16, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI.
CVE-2018-17070 1Unlcms 1Unlcms Nov 21, 2024 Sep 15, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay.
CVE-2018-17069 1Unlcms 1Unlcms Nov 21, 2024 Sep 15, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay.
CVE-2018-17045 1Cms Maelostore Project 1Cms Maelostore Nov 21, 2024 Sep 14, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vulnerability that can change the administrator password via admin/modul/users/aksi_users.php?act=update.
CVE-2018-17023 1Asus 1Gt Ac5300 Firmware Nov 21, 2024 Sep 13, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the admini...Show more Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.Show less
CVE-2018-16951 1Xunfeng Project 1Xunfeng Nov 21, 2024 Sep 12, 2018 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 xunfeng 0.2.0 allows command execution via CSRF because masscan.py mishandles backquote characters, a related issue to CVE-2018-16832.
CVE-2018-16832 1Xunfeng Project 1Xunfeng Nov 21, 2024 Sep 11, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host...Show more CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header.Show less
CVE-2016-7067 1Mmonit 1Monit Nov 21, 2024 Sep 10, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Monit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a...Show more Monit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a specific service.Show less

Previous 1...372373374...466 Next