Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 153943 entries
IDDescriptionPriorityModified date
CVE-2020-26507 A CSV Injection (also known as Formula Injection) vulnerability in the Marmind web application with version 4.1.141.0 allows malicious users to gain remote control of other computers. By providing formula code in the “Notes” functionality in the main screen, an attacker can inject a payload into the “Description” field under the “Insert To-Do” option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user’s PC. HIGH Nov 5, 2020
CVE-2020-13826 A CSV injection (aka Excel Macro Injection or Formula Injection) issue in i-doit 1.14.2 allows an attacker to execute arbitrary commands via a Title parameter that is mishandled in a CSV export. MEDIUM Aug 20, 2020
CVE-2019-7737 A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit. Medium Feb 12, 2019
CVE-2019-7570 A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI. Medium Feb 7, 2019
CVE-2020-24739 A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. MEDIUM Sep 10, 2020
CVE-2019-13961 A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php. -- Jul 19, 2019
CVE-2020-24271 A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. MEDIUM Feb 5, 2021
CVE-2019-12851 A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852. MEDIUM Jul 10, 2019
CVE-2020-24373 A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. MEDIUM Sep 16, 2020
CVE-2020-8615 A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). LOW Feb 6, 2020
CVE-2018-15612 A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. MEDIUM Sep 21, 2018
CVE-2020-9454 A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote attackers to forge requests on behalf of a site administrator to change all settings for the plugin, including deleting users, creating new roles with escalated privileges, and allowing PHP file uploads via forms. MEDIUM Mar 7, 2020
CVE-2018-15193 A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. MEDIUM Aug 7, 2018
CVE-2019-14327 A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings. MEDIUM Jul 31, 2019
CVE-2019-19013 A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request. MEDIUM Nov 27, 2019
CVE-2017-5781 A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. MEDIUM Feb 15, 2018
CVE-2020-18129 A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php. MEDIUM Oct 23, 2020
CVE-2016-8201 A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster. MEDIUM Jan 14, 2017
CVE-2019-10673 A CSRF vulnerability in a logged-in user\'s profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress \"password forget\" form. HIGH Apr 4, 2019
CVE-2019-19664 A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. MEDIUM Feb 10, 2020
CVE-2019-19660 A CSRF vulnerability exists in the Web File Manager\'s Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. MEDIUM Feb 11, 2020
CVE-2019-19659 A CSRF vulnerability exists in the Web File Manager\'s Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users\' details, and escalate privileges via RAPR/DefineUsersSet.html. MEDIUM Feb 11, 2020
CVE-2019-19662 A CSRF vulnerability exists in the Web File Manager\'s Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. MEDIUM Feb 10, 2020
CVE-2019-19669 A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. MEDIUM Feb 11, 2020
CVE-2021-21731 A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data. This affects: ZXCLOUD iRAI All versions up to KVM-ProductV6.03.04 MEDIUM Apr 13, 2021
CVE-2019-19665 A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. MEDIUM Feb 11, 2020
CVE-2019-19663 A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. MEDIUM Feb 10, 2020
CVE-2019-19668 A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. MEDIUM Feb 11, 2020
CVE-2019-19666 A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. MEDIUM Feb 11, 2020
CVE-2019-19667 A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. MEDIUM Feb 11, 2020
CVE-2020-8167 A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. MEDIUM Jun 19, 2020
CVE-2019-16068 A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request. This can be triggered via XSS or an IFRAME tag included within the site. MEDIUM Mar 23, 2020
CVE-2018-12602 A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily. MEDIUM Jun 25, 2018
CVE-2014-5288 A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via unspecified vectors in administrative pages. MEDIUM Feb 11, 2020
CVE-2020-23342 A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users. MEDIUM Jan 22, 2021
CVE-2022-27671 A CSRF token visible in the URL may possibly lead to information disclosure vulnerability. MEDIUM Apr 12, 2022
CVE-2019-18376 A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user\'s web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC. MEDIUM Apr 10, 2020
CVE-2020-8461 A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim\'s browser to send a specifically encoded request without requiring a valid CSRF token. MEDIUM Dec 17, 2020
CVE-2018-7308 A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. MEDIUM Feb 22, 2018
CVE-2013-0196 A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using \'Basic authentication\' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. MEDIUM Jan 8, 2020
CVE-2011-3609 A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the Access-Control-Allow-Origin HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. MEDIUM Nov 26, 2019
CVE-2018-11445 A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role. MEDIUM May 25, 2018
CVE-2019-19995 A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user. HIGH Dec 26, 2019
CVE-2019-11416 A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, leading to complete control of the router, as demonstrated by v1/system/user. HIGH May 6, 2019
CVE-2017-6081 A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie. MEDIUM Mar 13, 2017
CVE-2019-14703 A CSRF issue was discovered in webparam?user&action=set&param=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account. MEDIUM Aug 13, 2019
CVE-2018-20595 A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. MEDIUM Dec 30, 2018
CVE-2018-18742 A CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.php?Class=add&CF=user URI. MEDIUM Oct 29, 2018
CVE-2018-13407 A CSRF issue was discovered in Jirafeau before 3.4.1. The delete file feature on the admin panel is not protected against automated requests and could be abused. MEDIUM Jul 6, 2018
CVE-2020-26516 A CSRF issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Requests sent to the server that trigger actions do not contain a CSRF token and can therefore be entirely predicted allowing attackers to cause the victim\'s browser to execute undesired actions in the web application through crafted requests. MEDIUM Jun 8, 2021
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online