Search Results (10348 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-5492 1 Wordpress 1 Wordpress 2025-04-20 N/A
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
CVE-2017-5528 1 Tibco 3 Jasperreports Server, Jaspersoft, Jaspersoft Reporting And Analytics 2025-04-20 8.8 High
Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of this vulnerability includes the theoretical disclosure of sensitive information. Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).
CVE-2017-5633 2 D-link, Dlink 2 Di-524 Firmware, Di-524 2025-04-20 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs.
CVE-2017-6328 1 Symantec 1 Message Gateway 2025-04-20 N/A
The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser.
CVE-2017-6366 1 Netgear 5 Dgn2200 Firmware, Dgn2200v1, Dgn2200v2 and 2 more 2025-04-20 N/A
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.
CVE-2017-6379 1 Drupal 1 Drupal 2025-04-20 N/A
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
CVE-2017-6411 1 Dlink 2 Dsl-2730u, Dsl-2730u Firmware 2025-04-20 N/A
Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devices allows remote attackers to change the DNS or firewall configuration or any password.
CVE-2017-7177 1 Openinfosecfoundation 1 Suricata 2025-04-20 N/A
Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by lack of a check for the IP protocol during fragment matching.
CVE-2017-7178 2 Debian, Deluge-torrent 2 Debian Linux, Deluge 2025-04-20 8.8 High
CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
CVE-2017-7851 2 D-link, Dlink 2 Dcs-936l, Dcs-936l 2025-04-20 N/A
D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
CVE-2017-7852 1 Dlink 52 Dcs-2132l, Dcs-2132l Firmware, Dcs-2136l and 49 more 2025-04-20 8.8 High
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.
CVE-2017-7877 1 Flatcore 1 Flatcore-cms 2025-04-20 N/A
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
CVE-2017-7881 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
CVE-2017-7917 1 Moxa 12 Oncell 5004-hspa, Oncell 5004-hspa Firmware, Oncell 5104-hsdpa and 9 more 2025-04-20 N/A
A Cross-Site Request Forgery issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request, which could allow an attacker to modify the configuration of the device.
CVE-2017-7951 1 Wondercms 1 Wondercms 2025-04-20 N/A
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
CVE-2017-7926 1 Osisoft 1 Pi Web Api 2025-04-20 N/A
A Cross-Site Request Forgery issue was discovered in OSIsoft PI Web API versions prior to 2017 (1.9.0). The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated.
CVE-2017-7969 1 Schneider-electric 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert 2025-04-20 N/A
A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack.
CVE-2017-9365 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.
CVE-2017-9379 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php.
CVE-2017-9413 1 Subsonic 1 Subsonic 2025-04-20 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks.