Cross-site request forgery (CSRF) vulnerability in admin/agent_edit.asp in PollPro 3.0 allows remote attackers to create or modify accounts as administrators via the username, password, and name parameters.
Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before 5x.-1.2, a module for Drupal, allows remote attackers to hijack the authentication of unspecified victims to delete OpenID identities via unknown vectors.
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.
Cross site request forgery (CSRF) vulnerability in AyaCMS 3.1.2 allows attackers to change an administrators password or other unspecified impacts.
Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy in Eye-Fi 1.1.2 allow remote attackers to hijack the authentication of users for requests that modify configuration via a SOAPAction parameter of (1) urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, or (3) urn:SetFolderConfig for file download location or modification of authentication credentials; and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack the image upload.
WSTMall v1.9.1_170316 has CSRF via the index.php?m=Admin&c=Users&a=edit URI to add a user account.
tnftpd before 20080929 splits large command strings into multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unknown vectors, probably involving a crafted ftp:// link to a tnftpd server.
The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF.
Cross-site request forgery (CSRF) vulnerability in cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to hijack the authentication of arbitrary users for requests that conduct persistent cross-site scripting (XSS) attacks via the cart_name parameter in a save action.
Cross-site request forgery (CSRF) vulnerability in the "change password" feature in the VZPP web interface for Parallels Virtuozzo 25.4.swsoft (build 3.0.0-25.4.swsoft) allows remote attackers to modify the password via a link or IMG tag to vz/cp/pwd.
Cross-site request forgery in the REST API in IPython 2 and 3.
The wp-database-backup plugin before 4.3.1 for WordPress has CSRF.
Cross-site request forgery (CSRF) vulnerability in I-O DATA DEVICE HDL-F160, HDL-F250, HDL-F300, and HDL-F320 firmware before 1.02 allows remote attackers to (1) change a configuration or (2) delete files as an authenticated user via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-site request forgery (CSRF) vulnerability in index.php in ProjectPier 0.8 and earlier allows remote attackers to perform actions as an administrator via the query string, as demonstrated by a delete project action.
Cross-site request forgery (CSRF) vulnerability on NEC Aterm WG300HP devices allows remote attackers to hijack the authentication of arbitrary users.
Cross-site request forgery (CSRF) vulnerability in Lantronix xPrintServer allows remote attackers to hijack the authentication of administrators for requests that modify configuration, as demonstrated by executing arbitrary commands using the c parameter in the rpc action.
Cross-site request forgery (CSRF) vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to hijack the authentication of administrators for requests that update the password via idm/admin/changeself.jsp.
Cross-site request forgery (CSRF) vulnerability in admin/ad_settings.php in Bonza Cart 1.10 and earlier allows remote attackers to change the admin password via a logout action in conjunction with the NewAdmin, NewPass1, and NewPass2 parameters.
YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add
Cross-site request forgery (CSRF) vulnerability in Interact 2.4.1 allows remote attackers to hijack the authentication of super administrators for requests that create super administrator accounts.
A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.
Multiple cross-site request forgery (CSRF) vulnerabilities in the admin area in X3 CMS 0.5.1 and 0.5.1.1 allow remote attackers to hijack the authentication of administrators via unspecified vectors.
A CWE-352: Cross-Site Request Forgery (CSRF) exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)
An issue was discovered in AKCMS 6.1. CSRF can add an admin account via a /index.php?file=account&action=manageaccounts&job=newaccount URI.
IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.13.xxx is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 220048.
IBM Spectrum Copy Data Management 2.2.0.0through 2.2.15.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 225887.
The wp-d3 plugin before 2.4.1 for WordPress has CSRF.
Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.
A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***.
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.
Cross Site Request Forgery (CSRF) vulnerability in FlatPress 1.1 via the DeleteFile function in flat/admin.php.
In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php.
Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Cross-site request forgery (CSRF) vulnerability on BUFFALO BHR-4GRV2 devices with firmware 1.04 and earlier, WEX-300 devices with firmware 1.90 and earlier, WHR-1166DHP devices with firmware 1.90 and earlier, WHR-300HP2 devices with firmware 1.90 and earlier, WHR-600D devices with firmware 1.90 and earlier, WMR-300 devices with firmware 1.90 and earlier, WMR-433 devices with firmware 1.01 and earlier, and WSR-1166DHP devices with firmware 1.01 and earlier allows remote attackers to hijack the authentication of arbitrary users.
A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.
The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.
servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function.
Neet AirStream NAS1.1 devices have a password of ifconfig for the root account. This cannot be changed via the configuration page.
A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.
Cross-site request forgery (CSRF) vulnerability in index.php in WoltLab Burning Board Lite (wBB) 2 Beta 1 allows remote attackers to delete threads as other users via the ThreadDelete action.
Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php.
Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.
ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.