Total
7842 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11680 | 1 Cmseasy | 1 Cmseasy | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate. | |||||
| CVE-2018-11679 | 1 Cmseasy | 1 Cmseasy | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability that can add an article via /index.php?case=table&act=add&table=archive&admin_dir=admin. | |||||
| CVE-2018-11671 | 1 Njtech | 1 Greencms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle. | |||||
| CVE-2018-11670 | 1 Njtech | 1 Greencms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect. | |||||
| CVE-2018-11636 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to execute malicious and unauthorized actions. | |||||
| CVE-2018-11633 | 1 Multidots | 1 Woo Checkout For Digital Goods | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities. | |||||
| CVE-2018-11632 | 1 Multidots | 1 Add Social Share Messenger Buttons Whatsapp And Viber | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function. | |||||
| CVE-2018-11538 | 1 Searchblox | 1 Searchblox | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass. | |||||
| CVE-2018-11527 | 1 Cscms Project | 1 Cscms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in CScms v4.1. A Cross-site request forgery (CSRF) vulnerability in plugins/sys/admin/Sys.php allows remote attackers to change the administrator's username and password via /admin.php/sys/editpass_save. | |||||
| CVE-2018-11502 | 1 Moderator Log Notes Project | 1 Moderator Log Notes | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF. | |||||
| CVE-2018-11501 | 1 Website Seller Script Project | 1 Website Seller Script | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS. | |||||
| CVE-2018-11500 | 1 Publiccms | 1 Publiccms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account. | |||||
| CVE-2018-11447 | 1 Siemens | 2 Scalance M875, Scalance M875 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by an legitimate user, who must be authenticated to the web interface as administrative user. A successful attack could allow an attacker to interact with the web interface as an administrative user. This could allow the attacker to read or modify the device configuration, or to exploit other vulnerabilities that require authentication as administrative user. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2018-11445 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role. | |||||
| CVE-2018-11442 | 1 Easyservice Billing Project | 1 Easyservice Billing | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF issue was discovered in EasyService Billing 1.0, which was triggered via a quotation-new3-new2.php?add=true&id= URI, as demonstrated by adding a new quotation. | |||||
| CVE-2018-11427 | 1 Moxa | 4 Oncell G3150-hspa, Oncell G3150-hspa-t, Oncell G3150-hspa-t Firmware and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator. | |||||
| CVE-2018-11406 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. | |||||
| CVE-2018-11405 | 1 Kliqqi | 1 Kliqqi Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Kliqqi 2.0.2 has CSRF in admin/admin_users.php. | |||||
| CVE-2018-11371 | 1 Skycaiji | 1 Skycaiji | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| SkyCaiji 1.2 allows CSRF to add an Administrator user. | |||||
| CVE-2018-11349 | 1 Jirafeau | 1 Jirafeau | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The administration panel of Jirafeau before 3.4.1 is vulnerable to three CSRF attacks on search functionalities: search_by_name, search_by_hash, and search_link. | |||||