Total
5841 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5571 | 5 Adobe, Apple, Google and 2 more | 8 Air, Air Sdk, Air Sdk \& Compiler and 5 more | 2017-02-17 | 4.3 MEDIUM | N/A |
| Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671 and CVE-2014-5333. | |||||
| CVE-2017-5165 | 1 Binom3 | 2 Universal Multifunctional Electric Power Quality Meter, Universal Multifunctional Electric Power Quality Meter Firmware | 2017-02-16 | 6.8 MEDIUM | 7.6 HIGH |
| An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. | |||||
| CVE-2017-5368 | 1 Zoneminder | 1 Zoneminder | 2017-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). | |||||
| CVE-2016-6045 | 1 Ibm | 1 Tivoli Storage Manager | 2017-02-09 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Tivoli Storage Manager Operations Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2016-5937 | 1 Ibm | 1 Kenexa Lcms Premier | 2017-02-08 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2016-6103 | 1 Ibm | 1 Security Key Lifecycle Manager | 2017-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2016-9218 | 1 Cisco | 1 Hybrid Meeting Server | 2017-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Known Affected Releases: 1.0. | |||||
| CVE-2016-7904 | 1 Cmsmadesimple | 1 Cms Made Simple | 2017-01-27 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request. | |||||
| CVE-2016-6521 | 1 Gopivotal | 1 Grails | 2017-01-26 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors. | |||||
| CVE-2017-5475 | 1 S9y | 1 Serendipity | 2017-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments. | |||||
| CVE-2017-5476 | 1 S9y | 1 Serendipity | 2017-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin. | |||||
| CVE-2016-4808 | 1 Web2py | 1 Web2py | 2017-01-19 | 6.8 MEDIUM | 8.8 HIGH |
| Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim. | |||||
| CVE-2014-5241 | 1 Mediawiki | 1 Mediawiki | 2017-01-07 | 6.8 MEDIUM | N/A |
| The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set. | |||||
| CVE-2014-1546 | 1 Mozilla | 1 Bugzilla | 2017-01-07 | 4.3 MEDIUM | N/A |
| The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with the _bz_callback character set. | |||||
| CVE-2015-0736 | 1 Cisco | 1 Mediasense | 2017-01-06 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Cisco MediaSense 10.5(1) and earlier allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu16728. | |||||
| CVE-2015-0740 | 1 Cisco | 1 Unified Intelligence Center | 2017-01-06 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intelligence Center 10.6(1) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus28826. | |||||
| CVE-2015-0741 | 1 Cisco | 1 Hosted Collaboration Solution | 2017-01-06 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596. | |||||
| CVE-2015-0704 | 1 Cisco | 1 Unified Meetingplace | 2017-01-06 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in API features in Cisco Unified MeetingPlace 8.6(1.9) allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus95884. | |||||
| CVE-2015-0700 | 1 Cisco | 1 Secure Access Control Server Solution Engine | 2017-01-06 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Dashboard page in the monitoring-and-report section in Cisco Secure Access Control Server Solution Engine before 5.5(0.46.5) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj62924. | |||||
| CVE-2015-0735 | 1 Cisco | 1 Unified Customer Voice Portal | 2017-01-06 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Cisco Unified Customer Voice Portal (CVP) 10.5(1) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut93970. | |||||