Total
6084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14216 | 1 Wp Svg Icons Project | 1 Wp Svg Icons | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads to upload of a ZIP archive containing a .php file. | |||||
| CVE-2019-13974 | 1 Layerbb | 1 Layerbb | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| LayerBB 1.1.3 allows conversations.php/cmd/new CSRF. | |||||
| CVE-2019-13961 | 1 Flatcore | 1 Flatcore | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php. | |||||
| CVE-2019-13949 | 1 Syguestbook A5 Project | 1 Syguestbook A5 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demonstrated by CSRF for an index.php?c=Administrator&a=update admin password change. | |||||
| CVE-2019-13930 | 1 Siemens | 1 Xhq | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-13920 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-13611 | 1 Python-engineio Project | 1 Python-engineio | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. | |||||
| CVE-2019-13594 | 1 Mirumee | 1 Saleor | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server. | |||||
| CVE-2019-13563 | 1 Dlink | 2 Dir-655, Dir-655 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console. | |||||
| CVE-2019-13529 | 1 Sma | 2 Sunny Webbox, Sunny Webbox Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation. | |||||
| CVE-2019-13516 | 1 Osisoft | 1 Pi Web Api | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect. | |||||
| CVE-2019-13497 | 1 Oneidentity | 1 Cloud Access Manager | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. | |||||
| CVE-2019-13477 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account. | |||||
| CVE-2019-13401 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/. | |||||
| CVE-2019-13395 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF against all /goform/ URIs. An attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. | |||||
| CVE-2019-13376 | 1 Phpbb | 1 Phpbb | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS | |||||
| CVE-2019-13370 | 1 Ignitedcms | 1 Ignitedcms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. | |||||
| CVE-2019-13364 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. | |||||
| CVE-2019-13363 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF. | |||||
| CVE-2019-13199 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | |||||