The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-7570 | A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete users via an admin.php/User/del/ucode/ URI. | Medium | Feb 7, 2019 |
| CVE-2020-24739 | A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | MEDIUM | Sep 10, 2020 |
| CVE-2019-13961 | A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php. | -- | Jul 19, 2019 |
| CVE-2020-24271 | A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. | MEDIUM | Feb 5, 2021 |
| CVE-2019-12851 | A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852. | MEDIUM | Jul 10, 2019 |
| CVE-2020-24373 | A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | MEDIUM | Sep 16, 2020 |
| CVE-2020-8615 | A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). | LOW | Feb 6, 2020 |
| CVE-2018-15612 | A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. | MEDIUM | Sep 21, 2018 |
| CVE-2020-9454 | A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote attackers to forge requests on behalf of a site administrator to change all settings for the plugin, including deleting users, creating new roles with escalated privileges, and allowing PHP file uploads via forms. | MEDIUM | Mar 7, 2020 |
| CVE-2025-25748 | A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of origin or referrer validation and the absence of CSRF tokens. NOTE: this is disputed because there is an id_sessione CSRF token. | -- | Mar 11, 2025 |
| CVE-2018-15193 | A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | MEDIUM | Aug 7, 2018 |
| CVE-2022-38329 | A CSRF vulnerability in Shopxian CMS 3.0.0 could allow an unauthenticated, remote attacker to craft a malicious link, potentially causing the administrator to perform unintended actions on an affected system. The vulnerability could allow attackers to modify or delete specific content through crafted requests, potentially leading to data loss and system integrity issues. | -- | Sep 17, 2022 |
| CVE-2019-14327 | A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings. | MEDIUM | Jul 31, 2019 |
| CVE-2019-19013 | A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request. | MEDIUM | Nov 27, 2019 |
| CVE-2017-5781 | A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. | MEDIUM | Feb 15, 2018 |
| CVE-2020-18129 | A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php. | MEDIUM | Oct 23, 2020 |
| CVE-2025-29722 | A CSRF vulnerability in Commercify v1.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users. The issue exists due to missing CSRF protection on sensitive endpoints. | -- | Apr 17, 2025 |
| CVE-2016-8201 | A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster. | MEDIUM | Jan 14, 2017 |
| CVE-2019-10673 | A CSRF vulnerability in a logged-in user\'s profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress \"password forget\" form. | HIGH | Apr 4, 2019 |
| CVE-2023-7045 | A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS). | -- | May 24, 2024 |
| CVE-2019-19664 | A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19660 | A CSRF vulnerability exists in the Web File Manager\'s Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19659 | A CSRF vulnerability exists in the Web File Manager\'s Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users\' details, and escalate privileges via RAPR/DefineUsersSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19662 | A CSRF vulnerability exists in the Web File Manager\'s Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19669 | A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 |
| CVE-2021-21731 | A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data. This affects: ZXCLOUD iRAI All versions up to KVM-ProductV6.03.04 | MEDIUM | Apr 13, 2021 |
| CVE-2019-19665 | A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19663 | A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html. | MEDIUM | Feb 10, 2020 |
| CVE-2019-19668 | A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19666 | A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html. | MEDIUM | Feb 11, 2020 |
| CVE-2019-19667 | A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html. | MEDIUM | Feb 11, 2020 |
| CVE-2020-8167 | A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. | MEDIUM | Jun 19, 2020 |
| CVE-2019-16068 | A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request. This can be triggered via XSS or an IFRAME tag included within the site. | MEDIUM | Mar 23, 2020 |
| CVE-2018-12602 | A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily. | MEDIUM | Jun 25, 2018 |
| CVE-2014-5288 | A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via unspecified vectors in administrative pages. | MEDIUM | Feb 11, 2020 |
| CVE-2024-10481 | A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as uploading arbitrary files via the `/upload/image` endpoint. The lack of CSRF protections on API endpoints like `/upload/image`, `/prompt`, and `/history` leaves users vulnerable to unauthorized actions, which could be combined with other vulnerabilities such as stored-XSS to further compromise user sessions. | -- | Mar 20, 2025 |
| CVE-2020-23342 | A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users. | MEDIUM | Jan 22, 2021 |
| CVE-2022-48309 | A CSRF vulnerability allows malicious websites to retrieve logs and technical support archives in Sophos Connect versions older than 2.2.90. | -- | Mar 1, 2023 |
| CVE-2022-27671 | A CSRF token visible in the URL may possibly lead to information disclosure vulnerability. | MEDIUM | Apr 12, 2022 |
| CVE-2019-18376 | A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user\'s web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC. | MEDIUM | Apr 10, 2020 |
| CVE-2020-8461 | A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim\'s browser to send a specifically encoded request without requiring a valid CSRF token. | MEDIUM | Dec 17, 2020 |
| CVE-2018-7308 | A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. | MEDIUM | Feb 22, 2018 |
| CVE-2013-0196 | A CSRF issue was found in OpenShift Enterprise 1.2. The web console is using \'Basic authentication\' and the REST API has no CSRF attack protection mechanism. This can allow an attacker to obtain the credential and the Authorization: header when requesting the REST API via web browser. | MEDIUM | Jan 8, 2020 |
| CVE-2011-3609 | A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the Access-Control-Allow-Origin HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker. | MEDIUM | Nov 26, 2019 |
| CVE-2018-11445 | A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role. | MEDIUM | May 25, 2018 |
| CVE-2019-19995 | A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user. | HIGH | Dec 26, 2019 |
| CVE-2019-11416 | A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, leading to complete control of the router, as demonstrated by v1/system/user. | HIGH | May 6, 2019 |
| CVE-2017-6081 | A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie. | MEDIUM | Mar 13, 2017 |
| CVE-2019-14703 | A CSRF issue was discovered in webparam?user&action=set¶m=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account. | MEDIUM | Aug 13, 2019 |
| CVE-2018-20595 | A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. | MEDIUM | Dec 30, 2018 |
