Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2007-1520

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-20 Mar, 2007 | 20:00
Updated At-07 Aug, 2024 | 12:59
Rejected At-
Credits

The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:20 Mar, 2007 | 20:00
Updated At:07 Aug, 2024 | 12:59
Rejected At:
â–¼CVE Numbering Authority (CNA)

The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://osvdb.org/34501
vdb-entry
x_refsource_OSVDB
http://phpfi.com/214668
x_refsource_MISC
http://www.wisec.it/ush/phpnukexss.html
x_refsource_MISC
http://www.securityfocus.com/archive/1/462727/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
x_refsource_MISC
http://secunia.com/advisories/24629
third-party-advisory
x_refsource_SECUNIA
http://www.securityfocus.com/archive/1/462308/100/100/threaded
mailing-list
x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/462575/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://osvdb.org/34501
Resource:
vdb-entry
x_refsource_OSVDB
Hyperlink: http://phpfi.com/214668
Resource:
x_refsource_MISC
Hyperlink: http://www.wisec.it/ush/phpnukexss.html
Resource:
x_refsource_MISC
Hyperlink: http://www.securityfocus.com/archive/1/462727/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
Resource:
x_refsource_MISC
Hyperlink: http://secunia.com/advisories/24629
Resource:
third-party-advisory
x_refsource_SECUNIA
Hyperlink: http://www.securityfocus.com/archive/1/462308/100/100/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://www.securityfocus.com/archive/1/462575/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://osvdb.org/34501
vdb-entry
x_refsource_OSVDB
x_transferred
http://phpfi.com/214668
x_refsource_MISC
x_transferred
http://www.wisec.it/ush/phpnukexss.html
x_refsource_MISC
x_transferred
http://www.securityfocus.com/archive/1/462727/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
x_refsource_MISC
x_transferred
http://secunia.com/advisories/24629
third-party-advisory
x_refsource_SECUNIA
x_transferred
http://www.securityfocus.com/archive/1/462308/100/100/threaded
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://www.securityfocus.com/archive/1/462575/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://osvdb.org/34501
Resource:
vdb-entry
x_refsource_OSVDB
x_transferred
Hyperlink: http://phpfi.com/214668
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.wisec.it/ush/phpnukexss.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.securityfocus.com/archive/1/462727/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://secunia.com/advisories/24629
Resource:
third-party-advisory
x_refsource_SECUNIA
x_transferred
Hyperlink: http://www.securityfocus.com/archive/1/462308/100/100/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://www.securityfocus.com/archive/1/462575/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:20 Mar, 2007 | 20:19
Updated At:23 Apr, 2026 | 00:35

The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches

phpnuke
phpnuke
>>php-nuke>>Versions up to 8.0(inclusive)
cpe:2.3:a:phpnuke:php-nuke:*:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>5.6
cpe:2.3:a:phpnuke:php-nuke:5.6:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>6.5
cpe:2.3:a:phpnuke:php-nuke:6.5:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.0
cpe:2.3:a:phpnuke:php-nuke:7.0:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.1
cpe:2.3:a:phpnuke:php-nuke:7.1:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.2
cpe:2.3:a:phpnuke:php-nuke:7.2:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.3
cpe:2.3:a:phpnuke:php-nuke:7.3:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.4
cpe:2.3:a:phpnuke:php-nuke:7.4:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.5
cpe:2.3:a:phpnuke:php-nuke:7.5:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.6
cpe:2.3:a:phpnuke:php-nuke:7.6:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.7
cpe:2.3:a:phpnuke:php-nuke:7.7:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.8
cpe:2.3:a:phpnuke:php-nuke:7.8:*:*:*:*:*:*:*
phpnuke
phpnuke
>>php-nuke>>7.9
cpe:2.3:a:phpnuke:php-nuke:7.9:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://osvdb.org/34501cve@mitre.org
N/A
http://phpfi.com/214668cve@mitre.org
Exploit
URL Repurposed
http://secunia.com/advisories/24629cve@mitre.org
Vendor Advisory
http://www.securityfocus.com/archive/1/462308/100/100/threadedcve@mitre.org
N/A
http://www.securityfocus.com/archive/1/462575/100/0/threadedcve@mitre.org
N/A
http://www.securityfocus.com/archive/1/462727/100/0/threadedcve@mitre.org
N/A
http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/cve@mitre.org
Exploit
http://www.wisec.it/ush/phpnukexss.htmlcve@mitre.org
Exploit
http://osvdb.org/34501af854a3a-2127-422b-91ae-364da2661108
N/A
http://phpfi.com/214668af854a3a-2127-422b-91ae-364da2661108
Exploit
URL Repurposed
http://secunia.com/advisories/24629af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.securityfocus.com/archive/1/462308/100/100/threadedaf854a3a-2127-422b-91ae-364da2661108
N/A
http://www.securityfocus.com/archive/1/462575/100/0/threadedaf854a3a-2127-422b-91ae-364da2661108
N/A
http://www.securityfocus.com/archive/1/462727/100/0/threadedaf854a3a-2127-422b-91ae-364da2661108
N/A
http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/af854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.wisec.it/ush/phpnukexss.htmlaf854a3a-2127-422b-91ae-364da2661108
Exploit
Hyperlink: http://osvdb.org/34501
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://phpfi.com/214668
Source: cve@mitre.org
Resource:
Exploit
URL Repurposed
Hyperlink: http://secunia.com/advisories/24629
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://www.securityfocus.com/archive/1/462308/100/100/threaded
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/archive/1/462575/100/0/threaded
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/archive/1/462727/100/0/threaded
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://www.wisec.it/ush/phpnukexss.html
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://osvdb.org/34501
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://phpfi.com/214668
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
URL Repurposed
Hyperlink: http://secunia.com/advisories/24629
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.securityfocus.com/archive/1/462308/100/100/threaded
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.securityfocus.com/archive/1/462575/100/0/threaded
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.securityfocus.com/archive/1/462727/100/0/threaded
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://www.wisec.it/ush/phpnukexss.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit

Change History

0
Information is not available yet

Similar CVEs

2433Records found

CVE-2004-1842
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.69% / 74.24%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.

Action-Not Available
Vendor-phpnuken/a
Product-php-nuken/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2011-1482
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.64% / 46.19%
||
7 Day CHG~0.00%
Published-21 Jun, 2011 | 01:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in mainfile.php in Francisco Burzi PHP-Nuke 8.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts or (2) grant the administrative privilege to a user account, related to a Referer check that uses a substring comparison.

Action-Not Available
Vendor-phpnuken/a
Product-php-nuken/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2006-4563
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-2.08% / 79.29%
||
7 Day CHG~0.00%
Published-06 Sep, 2006 | 01:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the MyHeadlines before 4.3.2 module for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the myh_op parameter to modules.php.

Action-Not Available
Vendor-phpnuken/a
Product-myheadlinesn/a
CVE-2008-2020
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.67% / 74.01%
||
7 Day CHG~0.00%
Published-30 Apr, 2008 | 01:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings.

Action-Not Available
Vendor-e107my123tkshoptorrentflux_projectwebzephpmybittorrentlabgabphpnukeopendbn/a
Product-e107opendbe-commerce-suitewebzephp-nukephpmybittorrentlabgabtorrentfluxn/a
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2018-18935
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.59% / 43.78%
||
7 Day CHG~0.00%
Published-05 Nov, 2018 | 08:00
Updated-05 Aug, 2024 | 11:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.

Action-Not Available
Vendor-popojicmsn/a
Product-popojicmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-12589
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.62%
||
7 Day CHG~0.00%
Published-18 Aug, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices do not have any protection against a CSRF attack.

Action-Not Available
Vendor-tomaxcomn/a
Product-r60gr60g_firmwarer60gv2_firmwarer60gv2n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1218
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.90% / 55.32%
||
7 Day CHG~0.00%
Published-19 Jul, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Endpoint Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123858.

Action-Not Available
Vendor-IBM Corporation
Product-bigfix_platformBigFix family
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-18842
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.81% / 52.62%
||
7 Day CHG~0.00%
Published-30 Oct, 2018 | 06:00
Updated-05 Aug, 2024 | 11:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code.

Action-Not Available
Vendor-zblogcnn/a
Product-z-blogphpn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-27975
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.50%
||
7 Day CHG~0.00%
Published-28 Oct, 2020 | 14:31
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.

Action-Not Available
Vendor-oscommercen/a
Product-oscommercen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-18773
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.41% / 87.42%
||
7 Day CHG~0.00%
Published-20 Nov, 2018 | 19:00
Updated-05 Aug, 2024 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.

Action-Not Available
Vendor-control-webpaneln/a
Product-webpaneln/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-18742
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.52% / 40.52%
||
7 Day CHG~0.00%
Published-28 Oct, 2018 | 03:00
Updated-05 Aug, 2024 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.php?Class=add&CF=user URI.

Action-Not Available
Vendor-sem-cmsn/a
Product-semcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-18712
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.65% / 46.67%
||
7 Day CHG~0.00%
Published-27 Oct, 2018 | 22:00
Updated-05 May, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's username via index.php?m=member&f=index&v=edit&uid=1.

Action-Not Available
Vendor-wuzhicmsn/a
Product-wuzhicmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2007-1489
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.67% / 47.54%
||
7 Day CHG~0.00%
Published-16 Mar, 2007 | 21:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-web-app.orgn/a
Product-webappn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-18436
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.51% / 39.96%
||
7 Day CHG~0.00%
Published-17 Oct, 2018 | 05:00
Updated-16 Sep, 2024 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JTBC(PHP) 3.0 allows CSRF for creating an account via the console/account/manage.php?type=action&action=add URI.

Action-Not Available
Vendor-jtbcn/a
Product-jtbc_phpn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-18201
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.49% / 38.80%
||
7 Day CHG~0.00%
Published-09 Oct, 2018 | 23:00
Updated-05 Aug, 2024 | 11:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

qibosoft V7.0 allows CSRF via admin/index.php?lfj=member&action=addmember to add a user account.

Action-Not Available
Vendor-qibosoftn/a
Product-qibosoftn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-17389
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.91% / 55.67%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 16:55
Updated-05 Aug, 2024 | 10:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSRF exists in server.php in Live Call Support Application 1.5 for adding an admin account.

Action-Not Available
Vendor-ranksoln/a
Product-live_call_supportn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2014-0168
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.74% / 50.10%
||
7 Day CHG~0.00%
Published-06 Oct, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Jolokia before 1.2.1 allows remote attackers to hijack the authentication of users for requests that execute MBeans methods via a crafted web page.

Action-Not Available
Vendor-jolokian/a
Product-jolokian/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-17584
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.92% / 55.91%
||
7 Day CHG~0.00%
Published-15 Apr, 2019 | 19:41
Updated-05 Aug, 2024 | 10:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WP Fastest Cache plugin 0.8.8.5 for WordPress has CSRF via the wp-admin/admin.php wpfastestcacheoptions page.

Action-Not Available
Vendor-wpfastestcachen/a
Product-wp_fastest_cachen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-28649
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.77% / 50.97%
||
7 Day CHG~0.00%
Published-16 Nov, 2020 | 02:50
Updated-04 Aug, 2024 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.

Action-Not Available
Vendor-orbisiusn/a
Product-child_theme_creatorn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11726
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 37.76%
||
7 Day CHG~0.00%
Published-31 Jul, 2017 | 23:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

services/system_io/actionprocessor/System.rails in ConnectWise Manage 2017.5 is vulnerable to Cross-Site Request Forgery (CSRF), as demonstrated by changing an e-mail address setting.

Action-Not Available
Vendor-connectwisen/a
Product-managen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11455
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.31% / 67.06%
||
7 Day CHG~0.00%
Published-29 Aug, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to the lack of anti-CSRF tokens.

Action-Not Available
Vendor-n/aPulse SecureIvanti Software
Product-pulse_policy_secureconnect_securepulse_connect_securen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11648
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.02%
||
7 Day CHG~0.00%
Published-31 Jul, 2017 | 23:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do not possess any protection against a CSRF vulnerability, as demonstrated by a goform/BasicSettings request to disable port filtering.

Action-Not Available
Vendor-techroutesn/a
Product-tr_1803-3g_firmwaretr_1803-3gn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-15568
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 38.14%
||
7 Day CHG~0.00%
Published-20 Aug, 2018 | 01:00
Updated-05 Aug, 2024 | 10:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html.

Action-Not Available
Vendor-tp5cms_projectn/a
Product-tp5cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-15565
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.57% / 43.03%
||
7 Day CHG~0.00%
Published-20 Aug, 2018 | 01:00
Updated-05 Aug, 2024 | 10:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in daveismyname simple-cms through 2014-03-11. admin/addpage.php does not require authentication for adding a page. This can also be exploited via CSRF.

Action-Not Available
Vendor-simple-cms_projectn/a
Product-simple_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-16338
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.47% / 37.44%
||
7 Day CHG~0.00%
Published-02 Sep, 2018 | 18:00
Updated-05 Aug, 2024 | 10:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerability that can change the administrator's password via admin.php?mod=users and subsequently add a page or menu, or submit a topic.

Action-Not Available
Vendor-auracmsn/a
Product-auracmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-15844
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.47% / 82.54%
||
7 Day CHG~0.00%
Published-25 Aug, 2018 | 21:00
Updated-05 Aug, 2024 | 10:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in DamiCMS 6.0.0. There is an CSRF vulnerability that can revise the administrator account's password via /admin.php?s=/Admin/doedit.

Action-Not Available
Vendor-damicmsn/a
Product-damicmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-16218
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.26% / 66.06%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 17:56
Updated-05 Aug, 2024 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF (Cross Site Request Forgery) in the web interface of the Yeahlink Ultra-elegant IP Phone SIP-T41P firmware version 66.83.0.35 allows a remote attacker to trigger code execution or settings modification on the device by providing a crafted link to the victim.

Action-Not Available
Vendor-n/aYealink Network Technology Co., Ltd
Product-ultra-elegant_ip_phone_sip-t41pultra-elegant_ip_phone_sip-t41p_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-16365
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.61% / 45.06%
||
7 Day CHG~0.00%
Published-02 Sep, 2018 | 22:00
Updated-05 Aug, 2024 | 10:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF.

Action-Not Available
Vendor-idreamsoftn/a
Product-icmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-12253
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-1.17% / 63.55%
||
7 Day CHG~0.00%
Published-21 Sep, 2017 | 05:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the user of a web application into executing an adverse action. Cisco Bug IDs: CSCve76872.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_intelligence_centerCisco Unified Intelligence Center
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2013-7473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.61% / 45.06%
||
7 Day CHG~0.00%
Published-01 Aug, 2019 | 14:21
Updated-06 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.

Action-Not Available
Vendor-windun/a
Product-windu_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-15402
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 38.03%
||
7 Day CHG~0.00%
Published-17 Oct, 2018 | 20:00
Updated-26 Nov, 2024 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Enterprise NFV Infrastructure Software Cross-Site Request Forgery Vulnerability

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks. The vulnerability is due to improper validation of Origin headers on HTTP requests within the management interface. An attacker could exploit this vulnerability by convincing a targeted user to follow a URL to a malicious website. An exploit could allow the attacker to take actions within the software with the privileges of the targeted user or gain access to sensitive information.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-enterprise_network_virtualization_softwareCisco Enterprise NFV Infrastructure Software
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-14331
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.52% / 40.51%
||
7 Day CHG~0.00%
Published-17 Jul, 2018 | 02:00
Updated-05 Aug, 2024 | 09:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.

Action-Not Available
Vendor-xiaocmsn/a
Product-xiaocms_x1n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-15202
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.37% / 29.08%
||
7 Day CHG~0.00%
Published-08 Aug, 2018 | 04:00
Updated-16 Sep, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Juunan06 eCommerce through 2018-08-05. There is a CSRF vulnerability in ee/eBoutique/app/template/includes/crudTreatment.php that can add new users and add products.

Action-Not Available
Vendor-juunan06n/a
Product-ecommercen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11646
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.01%
||
7 Day CHG~0.00%
Published-28 Jul, 2017 | 05:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 are vulnerable to CSRF attacks, as demonstrated by using administration.html to disable the firewall. They does not contain any token that can mitigate CSRF vulnerabilities within the device.

Action-Not Available
Vendor-netcommn/a
Product-4gt101w_bootloader4gt101w_softwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-12584
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.93% / 56.27%
||
7 Day CHG~0.00%
Published-06 Aug, 2017 | 03:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete account takeover, via the passwd1 and passwd2 fields in an admin/modules/system/app_user.php changecurrent=true operation.

Action-Not Available
Vendor-slimsn/a
Product-senayan_library_management_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1455
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.78% / 51.46%
||
7 Day CHG~0.00%
Published-15 Aug, 2018 | 15:00
Updated-16 Sep, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029.

Action-Not Available
Vendor-IBM Corporation
Product-tivoli_application_dependency_discovery_managerTivoli Application Dependency Discovery Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-12271
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.98% / 58.00%
||
7 Day CHG+0.28%
Published-19 Oct, 2017 | 08:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Cisco SPA300 and SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the user of a web application into executing an adverse action. Cisco Bug IDs: CSCuz88421, CSCuz91356, CSCve56308.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-spa500_firmwarespa300_firmwarespa500_series_ip_phonespa300_series_ip_phoneCisco SPA300 and SPA500 Series IP Phones
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11680
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.51% / 39.47%
||
7 Day CHG~0.00%
Published-27 Jul, 2017 | 06:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) exists in Hashtopussy 0.4.0, allowing an admin password change via users.php.

Action-Not Available
Vendor-project_hashtopussyn/a
Product-hashtopussyn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-1194
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.88% / 54.64%
||
7 Day CHG~0.00%
Published-28 Apr, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123669.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverIBM WebSphere Application Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11567
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-4.13% / 89.61%
||
7 Day CHG~0.00%
Published-07 Sep, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely.

Action-Not Available
Vendor-cesantan/a
Product-mongoose_embedded_web_server_libraryn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-11679
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 48.02%
||
7 Day CHG~0.00%
Published-27 Jul, 2017 | 06:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) exists in Hashtopus 1.5g via the password parameter to admin.php in an a=config action.

Action-Not Available
Vendor-hashtopus_projectn/a
Product-hashtopusn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-12631
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-1.61% / 72.98%
||
7 Day CHG~0.00%
Published-30 Nov, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a security context that is set up using a malicious client's roles for the given enduser.

Action-Not Available
Vendor-The Apache Software Foundation
Product-cxf_fedizApache CXF Fediz
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1514
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 40.75%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 14:00
Updated-17 Sep, 2024 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622.

Action-Not Available
Vendor-IBM Corporation
Product-robotic_process_automation_with_automation_anywhereRobotic Process Automation with Automation Anywhere
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-14420
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.52% / 40.51%
||
7 Day CHG~0.00%
Published-19 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 09:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.

Action-Not Available
Vendor-metinfon/a
Product-metinfon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-14575
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.38% / 81.83%
||
7 Day CHG~0.00%
Published-17 Mar, 2019 | 21:19
Updated-05 Aug, 2024 | 09:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.

Action-Not Available
Vendor-n/aMyBB
Product-trash_binn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-10961
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.68%
||
7 Day CHG~0.00%
Published-18 Jul, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.

Action-Not Available
Vendor-vanderbiltn/a
Product-redcapn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-13031
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.09% / 61.48%
||
7 Day CHG~0.00%
Published-05 Jul, 2018 | 20:00
Updated-05 Aug, 2024 | 08:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DamiCMS v6.0.0 aand 6.1.0 allows CSRF via admin.php?s=/Admin/doadd to add an administrator account.

Action-Not Available
Vendor-damicmsn/a
Product-damicmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-29004
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.70% / 48.70%
||
7 Day CHG~0.00%
Published-29 Jan, 2021 | 06:22
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2014-3760
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.66% / 47.23%
||
7 Day CHG~0.00%
Published-16 May, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP 1150 with firmware 1.2.94 allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable the DMZ in the Firewall/DMZ section via a request to index.cgi or (3) add, (4) modify, or (5) delete URL-filter settings in the Control/URL-filter section via a request to index.cgi, as demonstrated by adding a rule that blocks access to google.com.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dap_1150dap_1150_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-11718
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.46% / 36.71%
||
7 Day CHG~0.00%
Published-30 Aug, 2018 | 16:00
Updated-05 Aug, 2024 | 08:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF.

Action-Not Available
Vendor-xovisn/a
Product-pc3pc2r_firmwarepc2pc2rpc3_firmwarepc2_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 48
  • 49
  • Next
Details not found