Total
7769 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-0647 | 1 Asus | 2 Wl-330nul, Wl-330nul Firmware | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | ||||
| CVE-2018-0520 | 1 Fsi | 2 Fs010w, Fs010w Firmware | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | ||||
| CVE-2018-0509 | 1 Kkcald Project | 1 Kkcald | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | ||||
| CVE-2017-9963 | 1 Schneider-electric | 1 Powerscada Anywhere | 2024-11-21 | N/A |
| A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. | ||||
| CVE-2017-9641 | 1 Osisoft | 1 Pi Coresight | 2024-11-21 | N/A |
| PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability. | ||||
| CVE-2017-9414 | 1 Subsonic | 1 Subsonic | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view. | ||||
| CVE-2017-9381 | 1 Getvera | 4 Veraedge, Veraedge Firmware, Veralite and 1 more | 2024-11-21 | N/A |
| An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who navigates to an attacker controlled page to install or delete an application on the device. Note: The cross-site request forgery is a systemic issue across all other functionalities of the device. | ||||
| CVE-2017-8407 | 1 Dlink | 2 Dcs-1130, Dcs-1130 Firmware | 2024-11-21 | 8.8 High |
| An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change the user's password. | ||||
| CVE-2017-8406 | 1 Dlink | 2 Dcs-1130, Dcs-1130 Firmware | 2024-11-21 | 8.8 High |
| An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield. | ||||
| CVE-2017-8334 | 1 Securifi | 6 Almond, Almond\+, Almond\+firmware and 3 more | 2024-11-21 | N/A |
| An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking IP addresses using the web management interface. It seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site scripting payload on the user's browser and execute any action on the device provided by the web management interface. | ||||
| CVE-2017-8328 | 1 Securifi | 6 Almond, Almond\+, Almond\+firmware and 3 more | 2024-11-21 | N/A |
| An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue. | ||||
| CVE-2017-7906 | 1 Abb | 2 Ip Gateway, Ip Gateway Firmware | 2024-11-21 | N/A |
| In ABB IP GATEWAY 3.39 and prior, the web server does not sufficiently verify that a request was performed by the authenticated user, which may allow an attacker to launch a request impersonating that user. | ||||
| CVE-2017-7641 | 1 Qnap | 2 Media Streaming Add-on, Qts | 2024-11-21 | N/A |
| QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utilize CSRF protections. | ||||
| CVE-2017-7635 | 1 Qnap | 1 Nas Proxy Server | 2024-11-21 | N/A |
| QNAP NAS application Proxy Server through version 1.2.0 does not utilize CSRF protections. | ||||
| CVE-2017-5796 | 1 Hp | 10 J9623a, J9623a Firmware, J9624a and 7 more | 2024-11-21 | N/A |
| A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found. | ||||
| CVE-2017-5781 | 1 Hp | 1 Matrix Operating Environment | 2024-11-21 | N/A |
| A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. | ||||
| CVE-2017-5394 | 2 Google, Mozilla | 2 Android, Firefox | 2024-11-21 | N/A |
| A location bar spoofing attack where the location bar of loaded page will be shown over the content of another tab due to a series of JavaScript events combined with fullscreen mode. Note: This issue only affects Firefox for Android. Other operating systems are not affected. This vulnerability affects Firefox < 51. | ||||
| CVE-2017-4951 | 1 Vmware | 1 Airwatch | 2024-11-21 | N/A |
| VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices. | ||||
| CVE-2017-3965 | 1 Mcafee | 1 Network Security Manager | 2024-11-21 | N/A |
| Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrieving internal system information or manipulating the database via specially crafted URLs. | ||||
| CVE-2017-3187 | 1 Dotcms | 1 Dotcms | 2024-11-21 | N/A |
| The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application. | ||||