IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 154890.
There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter.
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful.
An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add.
Cross-site request forgery (CSRF) vulnerability in Adobe Connect before 9.5.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user.
PHP Scripts Mall Basic B2B Script 2.0.9 has Cross-Site Request Forgery (CSRF) via the Edit profile feature.
UCMS 1.4.7 has ?do=user_addpost CSRF.
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature.
IBM Cram Social Program Management 6.1.1, 6.2.0, 7.0.4, and 7.0.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 154891.
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's username via index.php?m=member&f=index&v=edit&uid=1.
\upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.
An issue was discovered in fledrCMS through 2014-02-03. There is a CSRF vulnerability that can change the administrator's password via index.php?p=done&savedata=1.
main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their website, so they were unable to evaluate the report or explain how this is something their customers view as a feature and not a security vulnerability
phpMyFAQ before 2.9.11 allows CSRF.
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.
An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability that can add a new user via the admin/ajax.php?type=member&action=add URI.
CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code.
CSRF exists on Polycom QDX 6000 devices.
Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. IBM X-Force ID: 111736.
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=article&do=update CSRF vulnerability.
A CSRF issue was discovered in admin/Index/tiquan in catfish blog 2.0.33.
BPC SmartVista 2 has CSRF via SVFE2/pages/admpages/roles/createrole.jsf.
Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.
xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.
6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).
The photo-gallery plugin before 1.2.42 for WordPress has CSRF.
IBM StoredIQ 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 153118.
The wp-rollback plugin before 1.2.3 for WordPress has CSRF.
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622.
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.
An issue was discovered in LAOBANCMS 2.0. admin/mima.php has CSRF.
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action.
ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.
The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.
SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 11029.
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339.
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks. The vulnerability is due to improper validation of Origin headers on HTTP requests within the management interface. An attacker could exploit this vulnerability by convincing a targeted user to follow a URL to a malicious website. An exploit could allow the attacker to take actions within the software with the privileges of the targeted user or gain access to sensitive information.
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.
Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file.