Vulnerabilities (CVE)

Filtered by CWE-352
Total 6081 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-9517 1 Atmail 1 Atmail 2024-11-21 6.8 MEDIUM 8.8 HIGH
atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and import users via CSV.
CVE-2017-9490 3 Arris, Cisco, Commscope 4 Tg1682g Firmware, Dpc3939b, Dpc3939b Firmware and 1 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
The Comcast firmware on Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices allows configuration changes via CSRF.
CVE-2017-9489 2 Cisco, Commscope 4 Dpc3939b, Dpc3939b Firmware, Arris Tg1682g and 1 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST) devices allows configuration changes via CSRF.
CVE-2017-9444 1 Bigtreecms 1 Bigtree Cms 2024-11-21 6.8 MEDIUM 8.8 HIGH
BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI.
CVE-2017-9415 1 Subsonic 1 Subsonic 2024-11-21 5.1 MEDIUM 7.5 HIGH
Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.
CVE-2017-9414 1 Subsonic 1 Subsonic 2024-11-21 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view.
CVE-2017-9413 1 Subsonic 1 Subsonic 2024-11-21 6.8 MEDIUM 8.8 HIGH
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks.
CVE-2017-9381 1 Getvera 4 Veraedge, Veraedge Firmware, Veralite and 1 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who navigates to an attacker controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device.
CVE-2017-9379 1 Bigtreecms 1 Bigtree Cms 2024-11-21 6.8 MEDIUM 8.8 HIGH
Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php.
CVE-2017-9365 1 Bigtreecms 1 Bigtree Cms 2024-11-21 6.8 MEDIUM 8.8 HIGH
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.
CVE-2017-9064 2 Debian, Wordpress 2 Debian Linux, Wordpress 2024-11-21 6.8 MEDIUM 8.8 HIGH
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
CVE-2017-9062 2 Debian, Wordpress 2 Debian Linux, Wordpress 2024-11-21 5.0 MEDIUM 8.6 HIGH
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVE-2017-9033 1 Trendmicro 1 Serverprotect 2024-11-21 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows remote attackers to hijack the authentication of users for requests to start an update from an arbitrary source via a crafted request to SProtectLinux/scanoption_set.cgi, related to the lack of anti-CSRF tokens.
CVE-2017-8930 1 Simpleinvoices 1 Simple Invoices 2024-11-21 6.8 MEDIUM 8.8 HIGH
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple Invoices 2013.1.beta.8 allow remote attackers to hijack the authentication of admins for requests that can (1) create new administrator user accounts and take over the entire application, (2) create regular user accounts, or (3) change configuration parameters such as tax rates and the enable/disable status of PayPal payment modules.
CVE-2017-8928 1 Mailcow 1 Mailcow\ 2024-11-21 6.8 MEDIUM 8.8 HIGH
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
CVE-2017-8875 1 Codection 1 Clean Login 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL.
CVE-2017-8874 1 Acquia 1 Mautic 2024-11-21 6.8 MEDIUM 8.8 HIGH
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
CVE-2017-8848 1 Allen Disk Project 1 Allen Disk 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.
CVE-2017-8836 1 Peplink 12 1350hw2 Firmware, 2500 Firmware, 380hw6 Firmware and 9 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface.
CVE-2017-8407 1 Dlink 2 Dcs-1130, Dcs-1130 Firmware 2024-11-21 6.8 MEDIUM 8.8 HIGH
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change the user's password.