Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-6651

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-05 Feb, 2018 | 22:00
Updated At-05 Aug, 2024 | 06:10
Rejected At-
Credits

In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:05 Feb, 2018 | 22:00
Updated At:05 Aug, 2024 | 06:10
Rejected At:
▼CVE Numbering Authority (CNA)

In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/chrisd1100/uncurl/releases/tag/0.07
x_refsource_CONFIRM
https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7
x_refsource_MISC
https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769
x_refsource_CONFIRM
Hyperlink: https://github.com/chrisd1100/uncurl/releases/tag/0.07
Resource:
x_refsource_CONFIRM
Hyperlink: https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7
Resource:
x_refsource_MISC
Hyperlink: https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/chrisd1100/uncurl/releases/tag/0.07
x_refsource_CONFIRM
x_transferred
https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7
x_refsource_MISC
x_transferred
https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/chrisd1100/uncurl/releases/tag/0.07
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:05 Feb, 2018 | 22:29
Updated At:09 Oct, 2019 | 23:41

In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.08.8HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary2.09.3HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 9.3
Base severity: HIGH
Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
CPE Matches

uncurl_project
uncurl_project
>>uncurl>>Versions before 0.07(exclusive)
cpe:2.3:a:uncurl_project:uncurl:*:*:*:*:*:*:*:*
parsecgaming
parsecgaming
>>parsec>>Versions before 140-3(exclusive)
cpe:2.3:a:parsecgaming:parsec:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7cve@mitre.org
N/A
https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769cve@mitre.org
Patch
Third Party Advisory
https://github.com/chrisd1100/uncurl/releases/tag/0.07cve@mitre.org
Third Party Advisory
Hyperlink: https://gist.github.com/Zenexer/ac7601c0e367d876353137e5099b18a7
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769
Source: cve@mitre.org
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/chrisd1100/uncurl/releases/tag/0.07
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

896Records found

CVE-2015-8255
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-2.17% / 80.07%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.

Action-Not Available
Vendor-axisn/a
Product-axis_communications_firmwareAXIS Communications products
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-8623
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.73% / 49.77%
||
7 Day CHG~0.00%
Published-23 Mar, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-6180
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 37.72%
||
7 Day CHG~0.00%
Published-13 Mar, 2017 | 06:14
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vulnerability affecting goform/formChnUserPwd and goform/formUserMng (and the entire set of other pages).

Action-Not Available
Vendor-keekoonvisionn/a
Product-kk002_ip_camera_firmwarekk002_ip_cameran/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-4878
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.94% / 56.68%
||
7 Day CHG~0.00%
Published-12 May, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1904
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.97% / 57.73%
||
7 Day CHG~0.00%
Published-21 Jun, 2019 | 02:20
Updated-20 Nov, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xe4451-x_integrated_services_router4331_integrated_services_router4321_integrated_services_routerasr_1001-x4431_integrated_services_routerasr_1002-xcloud_services_router_1000vasr_1002-hx4351_integrated_services_routerasr_1000_series_route_processor_\(rp2\)Cisco IOS XE Software
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-14926
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.58% / 43.39%
||
7 Day CHG~0.00%
Published-03 Aug, 2018 | 21:00
Updated-05 Aug, 2024 | 09:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.

Action-Not Available
Vendor-materan/a
Product-bancon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-6042
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.64% / 46.23%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 02:35
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.

Action-Not Available
Vendor-sierra_wirelessn/a
Product-airlink_raven_xt_firmwareairlink_raven_xtairlink_raven_xe_firmwareairlink_raven_xeSierra Wireless AirLink Raven XE and XT
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-6541
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.99% / 85.66%
||
7 Day CHG~0.00%
Published-08 Apr, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to service/soap/BatchRequest.

Action-Not Available
Vendor-n/aZimbra
Product-zimbra_collaboration_servern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7610
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.22% / 65.02%
||
7 Day CHG~0.00%
Published-30 May, 2018 | 21:00
Updated-06 Aug, 2024 | 07:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in the login form in Zimbra Collaboration Suite (aka ZCS) before 8.6.0 Patch 10, 8.7.x before 8.7.11 Patch 2, and 8.8.x before 8.8.8 Patch 1 allows remote attackers to hijack the authentication of unspecified victims by leveraging failure to use a CSRF token.

Action-Not Available
Vendor-n/aZimbraSynacor, Inc.
Product-zimbra_collaboration_suiten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7465
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.55% / 41.93%
||
7 Day CHG~0.00%
Published-10 Jan, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service (JRS) 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Action-Not Available
Vendor-n/aIBM Corporation
Product-jazz_reporting_servicen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7537
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-2.40% / 81.96%
||
7 Day CHG~0.00%
Published-03 Feb, 2016 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Action-Not Available
Vendor-n/aJenkinsRed Hat, Inc.
Product-jenkinsopenshiftn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19995
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.66% / 47.12%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 17:31
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user.

Action-Not Available
Vendor-intelbrasn/a
Product-iwr_3000n_firmwareiwr_3000nn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7446
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.74% / 49.98%
||
7 Day CHG~0.00%
Published-12 Mar, 2016 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9000 7.4 before 7.4.1.4, 7.5 before 7.5.1.3, and 7.6 before 7.6.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Action-Not Available
Vendor-n/aIBM Corporation
Product-flashsystem_9846-ae2flashsystem_9846-ac2flashsystem_9848-ae2flashsystem_9848-ac2flashsystem_v9000_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13259
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-4.66% / 90.64%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 18:27
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.

Action-Not Available
Vendor-radn/a
Product-secflow-1v_firmwaresecflow-1vn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7293
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-3.06% / 85.98%
||
7 Day CHG~0.00%
Published-25 Sep, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.

Action-Not Available
Vendor-zopen/aPlone Foundation
Product-zope_management_interfaceplonen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7407
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.63% / 45.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2016 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Lotus Mashups in IBM Mashup Center 3.0.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Action-Not Available
Vendor-n/aIBM Corporation
Product-mashups_centern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-12628
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.66% / 46.94%
||
7 Day CHG~0.00%
Published-10 Jul, 2019 | 11:45
Updated-05 Aug, 2024 | 08:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Eventum 3.5.0. CSRF in htdocs/manage/users.php allows creating another user with admin privileges.

Action-Not Available
Vendor-eventum_projectn/a
Product-eventumn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7278
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-0.59% / 44.02%
||
7 Day CHG~0.00%
Published-31 Dec, 2015 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability on Amped Wireless R10000 devices with firmware 2.5.2.11 allows remote attackers to hijack the authentication of arbitrary users.

Action-Not Available
Vendor-ampedwirelessn/a
Product-r10000_firmwarer10000n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5338
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.79% / 51.64%
||
7 Day CHG~0.00%
Published-22 Feb, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodlen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5607
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.20% / 64.45%
||
7 Day CHG~0.00%
Published-20 Sep, 2017 | 16:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery in the REST API in IPython 2 and 3.

Action-Not Available
Vendor-ipythonn/aFedora Project
Product-ipythonfedoran/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5990
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.53%
||
7 Day CHG~0.00%
Published-31 Dec, 2015 | 16:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 devices with firmware 2.10.17 allows remote attackers to hijack the authentication of arbitrary users.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-gs1900-10hp_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-5473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.52% / 87.82%
||
7 Day CHG~0.00%
Published-14 Jan, 2017 | 06:56
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.

Action-Not Available
Vendor-ntopn/a
Product-ntopngn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1874
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.80% / 52.21%
||
7 Day CHG~0.00%
Published-20 Jun, 2019 | 03:00
Updated-20 Nov, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_service_catalogCisco Prime Service Catalog
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5445
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-8.8||HIGH
EPSS-1.34% / 67.82%
||
7 Day CHG~0.00%
Published-05 Jan, 2016 | 11:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in HP StoreOnce Backup system software before 3.13.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Action-Not Available
Vendor-n/aHP Inc.
Product-storeonce_backup_system_softwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1881
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-1.29% / 66.67%
||
7 Day CHG~0.00%
Published-05 Jun, 2019 | 16:35
Updated-21 Nov, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Industrial Network Director Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-industrial_network_directorCisco Industrial Network Director
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5351
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-9.21% / 94.72%
||
7 Day CHG~0.00%
Published-25 Feb, 2016 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Action-Not Available
Vendor-n/aCanonical Ltd.The Apache Software FoundationDebian GNU/Linux
Product-tomcatdebian_linuxubuntu_linuxn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1857
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.59% / 43.97%
||
7 Day CHG~0.00%
Published-03 May, 2019 | 16:40
Updated-21 Nov, 2024 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco HyperFlex HX-Series Web-Based Management Interface Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ucs_c480_ml_firmwareucs_c220_m5_firmwareucs_b480_m5_firmwareucs_c240_m5_firmwareucs_c480_mlucs_b200_m5ucs_c220_m5hx220c_af_m5_firmwareucs_b200_m5_firmwareucs_b480_m5ucs_c480_m5_firmwarehx220c_m5ucs_c125_m5ucs_c240_m5hx220c_edge_m5_firmwarehx240c_m5hx240c_af_m5hx240c_af_m5_firmwareucs_c480_m5hx220c_all_nvme_m5_firmwareucs_c125_m5_firmwarehx240c_m5_firmwarehx240c_large_form_factor_firmwarehx220c_edge_m5hx240c_large_form_factorhx220c_m5_firmwarehx220c_af_m5hx220c_all_nvme_m5Cisco HyperFlex HX-Series
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5081
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.04% / 59.70%
||
7 Day CHG~0.00%
Published-18 Aug, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.

Action-Not Available
Vendor-django-cmsn/a
Product-django_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5007
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.91% / 55.52%
||
7 Day CHG~0.00%
Published-15 Jan, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 8 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Action-Not Available
Vendor-n/aIBM Corporation
Product-websphere_commercen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5050
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.55% / 41.93%
||
7 Day CHG~0.00%
Published-15 Feb, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contract Management 9.5.0.x before 9.5.0.6 iFix15, 10.0.0.x and 10.0.1.x before 10.0.1.5 iFix5, 10.0.2.x before 10.0.2.7 iFix4, and 10.0.4.x before 10.0.4.0 iFix3 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

Action-Not Available
Vendor-n/aIBM Corporation
Product-emptoris_contract_managementn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-4179
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.91% / 55.67%
||
7 Day CHG~0.00%
Published-05 Feb, 2018 | 16:00
Updated-06 Aug, 2024 | 06:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress.

Action-Not Available
Vendor-codestyling_localization_projectn/a
Product-codestyling_localizationn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-4089
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.99% / 58.27%
||
7 Day CHG~0.00%
Published-19 Sep, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in the optionsPageRequest function in admin.php in WP Fastest Cache plugin before 0.8.3.5 for WordPress allow remote attackers to hijack the authentication of unspecified victims for requests that call the (1) saveOption, (2) deleteCache, (3) deleteCssAndJsCache, or (4) addCacheTimeout method via the wpFastestCachePage parameter in the WpFastestCacheOptions/ page.

Action-Not Available
Vendor-wpfastestcachen/a
Product-wp_fastest_cachen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-18768
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.30%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 15:36
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by CSRF. This affects EX6100 before 1.0.2.16_1.1.130, EX6100v2 before 1.0.1.70, EX6150v2 before 1.0.1.54, EX6200v2 before 1.0.1.50, EX6400 before 1.0.1.60, EX7300 before 1.0.1.60, and WN3000RPv3 before 1.0.2.44.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wn3000rp_firmwarewn3000rpex6400_firmwareex6100_firmwareex7300ex7300_firmwareex6400ex6200ex6200_firmwareex6150ex6150_firmwareex6100n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-4593
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.36% / 87.22%
||
7 Day CHG~0.00%
Published-10 Jan, 2017 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and deletion of users, appointments and employees.

Action-Not Available
Vendor-eclinicalworksn/a
Product-population_healthn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-3946
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.90% / 55.22%
||
7 Day CHG~0.00%
Published-15 Jan, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Advantech WebAccess before 8.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccessn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-4639
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.30%
||
7 Day CHG~0.00%
Published-21 Jul, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name.

Action-Not Available
Vendor-kohan/a
Product-kohan/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-4697
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.25% / 65.75%
||
7 Day CHG~0.00%
Published-07 Sep, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Google Analyticator Wordpress Plugin before 6.4.9.3 rev @1183563.

Action-Not Available
Vendor-sumon/a
Product-google_analyticatorn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-18742
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.46% / 36.67%
||
7 Day CHG~0.00%
Published-23 Apr, 2020 | 15:45
Updated-05 Aug, 2024 | 21:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by CSRF. This affects JR6150 before 1.0.1.10, R6050 before 1.0.1.10, R6250 before 1.0.4.12, R6300v2 before 1.0.4.8, R6700 before 1.0.1.16, R6900 before 1.0.1.16, R7300DST before 1.0.0.54, R7900 before 1.0.1.12, R8000 before 1.0.3.32, and R8500 before 1.0.2.74.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r6700r8000r7900r6900r8500_firmwarer7300dst_firmwarer6900_firmwarer6050_firmwarer6050r7900_firmwarejr6150jr6150_firmwarer6300r7300dstr6300_firmwarer6700_firmwarer6250_firmwarer8000_firmwarer6250n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-18504
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.13%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:36
Updated-05 Aug, 2024 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF.

Action-Not Available
Vendor-n/aWPDeveloper
Product-twitter_cards_metan/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1713
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.1||HIGH
EPSS-1.09% / 61.46%
||
7 Day CHG~0.00%
Published-03 May, 2019 | 16:15
Updated-21 Nov, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Adaptive Security Appliance Software Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration of, extract information from, or reload an affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-asa_5550asa_5545-xasa_5505asa_5540adaptive_security_appliance_softwareasa_5555-xasa_5520asa_5510asa_5525-xasa_5580asa_5585-xasa_5512-xasa_5515-xCisco Adaptive Security Appliance (ASA) Software
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-4619
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.90% / 55.36%
||
7 Day CHG~0.00%
Published-07 Sep, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Spina before commit bfe44f289e336f80b6593032679300c493735e75.

Action-Not Available
Vendor-denkgrootn/a
Product-spinan/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16009
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.97% / 57.74%
||
7 Day CHG~0.00%
Published-23 Sep, 2020 | 00:26
Updated-13 Nov, 2024 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability

A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosCisco IOS 12.2(15)B
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-9604
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.64% / 46.04%
||
7 Day CHG~0.00%
Published-29 Mar, 2019 | 13:50
Updated-04 Aug, 2024 | 21:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-Site Request Forgery (CSRF) for Edit Profile actions.

Action-Not Available
Vendor-online_lottery_php_readymade_script_projectn/a
Product-online_lottery_php_readymade_scriptn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-2912
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-1.32% / 67.37%
||
7 Day CHG~0.00%
Published-31 Dec, 2015 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.

Action-Not Available
Vendor-orientdbn/a
Product-orientdbn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-9549
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.65% / 46.62%
||
7 Day CHG~0.00%
Published-03 Mar, 2019 | 19:00
Updated-04 Aug, 2024 | 21:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=user&act=addnew URI, as demonstrated by adding a level=1 account, a similar issue to CVE-2018-18935.

Action-Not Available
Vendor-popojicmsn/a
Product-popojicmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16099
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.61% / 45.02%
||
7 Day CHG~0.00%
Published-08 Sep, 2019 | 16:37
Updated-05 Aug, 2024 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows CSRF via JSON data to a .swf file.

Action-Not Available
Vendor-silver-peakn/a
Product-unity_edgeconnect_sd-wan_firmwareunity_edgeconnect_sd-wann/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-2878
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-4.17% / 89.67%
||
7 Day CHG~0.00%
Published-23 Oct, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist.

Action-Not Available
Vendor-n/aWatchGuard Technologies, Inc.
Product-hawkeye_gn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-17056
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.74% / 50.13%
||
7 Day CHG~0.00%
Published-04 Dec, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the /accounts/password_change/ URI. An attacker takes advantage of this scenario and creates a crafted CSRF link to add himself as an administrator to the ZKTime Web Software. He then uses social engineering methods to trick the administrator into clicking the forged HTTP request. The request is executed and the attacker becomes the Administrator of the ZKTime Web Software. If the vulnerability is successfully exploited, then an attacker (who would be a normal user of the web application) can escalate his privileges and become the administrator of ZKTime Web Software.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zktime_webn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-1786
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.66% / 46.89%
||
7 Day CHG~0.00%
Published-08 Jun, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.

Action-Not Available
Vendor-n/aPerforce Software, Inc.
Product-zend_frameworkn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-15808
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.17% / 63.66%
||
7 Day CHG~0.00%
Published-23 Oct, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.

Action-Not Available
Vendor-n/aThorsten Rinne (phpMyFAQ)
Product-phpmyfaqn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 17
  • 18
  • Next
Details not found