Cross-site request forgery (CSRF) vulnerability in Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows remote attackers to hijack the authentication of logged in user to conduct unintended operations via unspecified vectors.
Cross-site request forgery (CSRF) vulnerability on NEC Aterm WG300HP devices allows remote attackers to hijack the authentication of arbitrary users.
The wp-customer-reviews plugin before 3.0.9 for WordPress has CSRF in the admin tools.
The google-document-embedder plugin before 2.6.2 for WordPress has CSRF.
J-Web does not validate certain input that may lead to cross-site request forgery (CSRF) issues or cause a denial of J-Web service (DoS).
The add-from-server plugin before 3.3.2 for WordPress has CSRF for importing a large file.
Cross-site request forgery (CSRF) vulnerability in the Recruit plugin before 0.9.3 for baserCMS allows remote attackers to hijack the authentication of administrators.
Cross-site request forgery (CSRF) vulnerability on NEC Aterm WF800HP devices with firmware 1.0.17 and earlier allows remote attackers to hijack the authentication of arbitrary users.
The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.
In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php.
Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files, and then modules/upload/upload_main.php can be used for the upload itself.
A vulnerability in the web-based management interface of Cisco Industrial Network Director could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious, customized link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device via a web browser and with the privileges of the user.
rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.
The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF.
Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with resultant PSK key disclosure.
Zenbership v107 has CSRF via admin/cp-functions/event-add.php.
Multiple cross-site request forgery (CSRF) vulnerabilities in Cybozu Office 9.9.0 through 10.3.0 allow remote attackers to hijack the authentication of arbitrary users.
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
Cross-site request forgery (CSRF) vulnerability on BUFFALO BHR-4GRV2 devices with firmware 1.04 and earlier, WEX-300 devices with firmware 1.90 and earlier, WHR-1166DHP devices with firmware 1.90 and earlier, WHR-300HP2 devices with firmware 1.90 and earlier, WHR-600D devices with firmware 1.90 and earlier, WMR-300 devices with firmware 1.90 and earlier, WMR-433 devices with firmware 1.01 and earlier, and WSR-1166DHP devices with firmware 1.01 and earlier allows remote attackers to hijack the authentication of arbitrary users.
Neet AirStream NAS1.1 devices have a password of ifconfig for the root account. This cannot be changed via the configuration page.
Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to hijack the authentication of administrators.
Cross-site request forgery (CSRF) vulnerability in the Casebook plugin before 0.9.4 for baserCMS allows remote attackers to hijack the authentication of administrators.
The GoDaddy godaddy-email-marketing-sign-up-forms plugin before 1.1.3 for WordPress has CSRF.
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
A vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. Cisco Bug IDs: CSCvi44320.
Cross-site request forgery (CSRF) vulnerability in Tollgrade SmartGrid LightHouse Sensor Management System (SMS) Software EMS before 5.1, and 4.1.0 Build 16, allows remote attackers to hijack the authentication of arbitrary users.
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.
A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections on the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. Cisco Bug IDs: CSCvg88291.
Pluck v4.7.7 allows CSRF via admin.php?action=settings.
Cross-site request forgery (CSRF) vulnerability in Adobe Connect before 9.5.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.
atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMTP hostname and hijack all emails.
The photo-gallery plugin before 1.2.42 for WordPress has CSRF.
6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks.
The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.
Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363.
atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and import users via CSV.
The wp-rollback plugin before 1.2.3 for WordPress has CSRF.
There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. IBM X-Force ID: 111736.
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote execution of arbitrary PHP code.
Multiple cross-site request forgery (CSRF) vulnerabilities in Ipswitch MOVEit Mobile 1.2.0.962 and earlier allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file.
D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user.