The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-26507 | A CSV Injection (also known as Formula Injection) vulnerability in the Marmind web application with version 4.1.141.0 allows malicious users to gain remote control of other computers. By providing formula code in the “Notes” functionality in the main screen, an attacker can inject a payload into the “Description” field under the “Insert To-Do” option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user’s PC. | HIGH | Nov 5, 2020 |
| CVE-2020-13826 | A CSV injection (aka Excel Macro Injection or Formula Injection) issue in i-doit 1.14.2 allows an attacker to execute arbitrary commands via a Title parameter that is mishandled in a CSV export. | MEDIUM | Aug 20, 2020 |
| CVE-2019-7737 | A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit. | Medium | Feb 12, 2019 |
| CVE-2019-7570 | A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI. | Medium | Feb 7, 2019 |
| CVE-2020-24739 | A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | MEDIUM | Sep 10, 2020 |
| CVE-2019-13961 | A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php. | -- | Jul 19, 2019 |
| CVE-2020-24271 | A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. | MEDIUM | Feb 5, 2021 |
| CVE-2019-12851 | A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852. | MEDIUM | Jul 10, 2019 |
| CVE-2020-24373 | A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | MEDIUM | Sep 16, 2020 |
| CVE-2020-8615 | A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). | LOW | Feb 6, 2020 |
| CVE-2018-15612 | A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. | MEDIUM | Sep 21, 2018 |
| CVE-2020-9454 | A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote attackers to forge requests on behalf of a site administrator to change all settings for the plugin, including deleting users, creating new roles with escalated privileges, and allowing PHP file uploads via forms. | MEDIUM | Mar 7, 2020 |
| CVE-2018-15193 | A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | MEDIUM | Aug 7, 2018 |
| CVE-2019-14327 | A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings. | MEDIUM | Jul 31, 2019 |
| CVE-2019-19013 | A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request. | MEDIUM | Nov 27, 2019 |
| CVE-2017-5781 | A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. | MEDIUM | Feb 15, 2018 |
| CVE-2020-18129 | A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php. | MEDIUM | Oct 23, 2020 |
| CVE-2016-8201 | A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster. | MEDIUM | Jan 14, 2017 |
| CVE-2019-10673 | A CSRF vulnerability in a logged-in user\'s profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress \"password forget\" form. | HIGH | Apr 4, 2019 |
| CVE-2019-19664 | A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19660 | A CSRF vulnerability exists in the Web File Manager\'s Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19659 | A CSRF vulnerability exists in the Web File Manager\'s Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users\' details, and escalate privileges via RAPR/DefineUsersSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19662 | A CSRF vulnerability exists in the Web File Manager\'s Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19669 | A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 |
| CVE-2021-21731 | A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data. This affects: ZXCLOUD iRAI All versions up to KVM-ProductV6.03.04 | MEDIUM | Apr 13, 2021 |
| CVE-2019-19665 | A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19663 | A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19668 | A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19666 | A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19667 | A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. | MEDIUM | Feb 11, 2020 |
| CVE-2020-8167 | A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. | MEDIUM | Jun 19, 2020 |
| CVE-2019-16068 | A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request. This can be triggered via XSS or an IFRAME tag included within the site. | MEDIUM | Mar 23, 2020 |
| CVE-2018-12602 | A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily. | MEDIUM | Jun 25, 2018 |
| CVE-2014-5288 | A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via unspecified vectors in administrative pages. | MEDIUM | Feb 11, 2020 |
| CVE-2020-23342 | A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users. | MEDIUM | Jan 22, 2021 |
| CVE-2022-27671 | A CSRF token visible in the URL may possibly lead to information disclosure vulnerability. | MEDIUM | Apr 12, 2022 |
| CVE-2019-18376 | A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user\'s web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC. | MEDIUM | Apr 10, 2020 |
| CVE-2020-8461 | A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim\'s browser to send a specifically encoded request without requiring a valid CSRF token. | MEDIUM | Dec 17, 2020 |
| CVE-2018-7308 | A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. | MEDIUM | Feb 22, 2018 |
| CVE-2013-0196 | A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using \'Basic authentication\' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. | MEDIUM | Jan 8, 2020 |
| CVE-2011-3609 | A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the Access-Control-Allow-Origin HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. | MEDIUM | Nov 26, 2019 |
| CVE-2018-11445 | A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role. | MEDIUM | May 25, 2018 |
| CVE-2019-19995 | A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user. | HIGH | Dec 26, 2019 |
| CVE-2019-11416 | A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, leading to complete control of the router, as demonstrated by v1/system/user. | HIGH | May 6, 2019 |
| CVE-2017-6081 | A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie. | MEDIUM | Mar 13, 2017 |
| CVE-2019-14703 | A CSRF issue was discovered in webparam?user&action=set¶m=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account. | MEDIUM | Aug 13, 2019 |
| CVE-2018-20595 | A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. | MEDIUM | Dec 30, 2018 |
| CVE-2018-18742 | A CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.php?Class=add&CF=user URI. | MEDIUM | Oct 29, 2018 |
| CVE-2018-13407 | A CSRF issue was discovered in Jirafeau before 3.4.1. The delete file feature on the admin panel is not protected against automated requests and could be abused. | MEDIUM | Jul 6, 2018 |
| CVE-2020-26516 | A CSRF issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Requests sent to the server that trigger actions do not contain a CSRF token and can therefore be entirely predicted allowing attackers to cause the victim\'s browser to execute undesired actions in the web application through crafted requests. | MEDIUM | Jun 8, 2021 |
