Search Results (9425 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-9518 1 Atmail 1 Atmail 2025-04-20 N/A
atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMTP hostname and hijack all emails.
CVE-2017-9033 1 Trendmicro 1 Serverprotect 2025-04-20 8.8 High
Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows remote attackers to hijack the authentication of users for requests to start an update from an arbitrary source via a crafted request to SProtectLinux/scanoption_set.cgi, related to the lack of anti-CSRF tokens.
CVE-2017-8930 1 Simpleinvoices 1 Simple Invoices 2025-04-20 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple Invoices 2013.1.beta.8 allow remote attackers to hijack the authentication of admins for requests that can (1) create new administrator user accounts and take over the entire application, (2) create regular user accounts, or (3) change configuration parameters such as tax rates and the enable/disable status of PayPal payment modules.
CVE-2017-8928 1 Mailcow 1 Mailcow\ 2025-04-20 8.8 High
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
CVE-2017-8875 1 Codection 1 Clean Login 2025-04-20 N/A
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL.
CVE-2017-8874 1 Acquia 1 Mautic 2025-04-20 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
CVE-2017-8848 1 Allen Disk Project 1 Allen Disk 2025-04-20 N/A
Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.
CVE-2017-8836 1 Peplink 12 1350hw2 Firmware, 2500 Firmware, 380hw6 Firmware and 9 more 2025-04-20 N/A
CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface.
CVE-2017-7881 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
CVE-2017-7877 1 Flatcore 1 Flatcore-cms 2025-04-20 N/A
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
CVE-2017-7852 1 Dlink 52 Dcs-2132l, Dcs-2132l Firmware, Dcs-2136l and 49 more 2025-04-20 8.8 High
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.
CVE-2017-7851 2 D-link, Dlink 2 Dcs-936l, Dcs-936l 2025-04-20 N/A
D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
CVE-2017-7666 1 Apache 1 Openmeetings 2025-04-20 N/A
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
CVE-2017-7662 1 Apache 1 Cxf Fediz 2025-04-20 N/A
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.
CVE-2017-7661 1 Apache 1 Cxf Fediz 2025-04-20 N/A
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.
CVE-2017-6918 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6917 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
CVE-2017-6916 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6915 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.
CVE-2017-6914 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.