| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known. |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known. |
| An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. |
| In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server. |
| D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console. |
| An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation. |
| In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect. |
| One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account. |
| Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/. |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF against all /goform/ URIs. An attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. |
| phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS |
| index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator. |
| admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. |
| admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF. |
| Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. |
| Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings. |
| Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. |
| CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page. |
| An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection. |
