Search Results (9437 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-1000085 2 Jenkins, Redhat 2 Subversion, Openshift 2025-04-20 N/A
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
CVE-2015-0276 1 Kallithea-scm 1 Kallithea 2025-04-20 N/A
Cross-site request forgery (CSRF) vulnerability in Kallithea before 0.2.
CVE-2017-1000069 1 Oauth2 Proxy Project 1 Oauth2 Proxy 2025-04-20 N/A
CSRF in Bitly oauth2_proxy 2.1 during authentication flow
CVE-2017-1000008 1 Chyrp-lite Project 1 Chyrp Lite 2025-04-20 N/A
Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user settings function allowing attackers to hijack the authentication of logged in users to modify account information, including their password.
CVE-2017-1000090 1 Jenkins 1 Role-based Authorization Strategy 2025-04-20 N/A
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.
CVE-2017-6002 1 Intelliants 1 Subrion Cms 2025-04-20 N/A
Subrion CMS 4.0.5.10 has CSRF in admin/blog/add/. The attacker can add any blog entry, and can optionally insert XSS into that entry via the body parameter.
CVE-2017-6038 1 Belden Hirschmann 2 Gecko Lite Managed Switch, Gecko Lite Managed Switch Firmware 2025-04-20 N/A
A Cross-Site Request Forgery issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. The web application does not sufficiently verify that requests were provided by the user who submitted the request.
CVE-2017-6042 1 Sierra Wireless 4 Airlink Raven Xe, Airlink Raven Xe Firmware, Airlink Raven Xt and 1 more 2025-04-20 N/A
A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.
CVE-2017-6634 1 Cisco 5 Ie-1000-4p2s-lm, Ie-1000-4t1t-lm, Ie-1000-6t2t-lm and 2 more 2025-04-20 N/A
A vulnerability in the Device Manager web interface of Cisco Industrial Ethernet 1000 Series Switches 1.3 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to insufficient CSRF protection by the Device Manager web interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow the attacker to submit arbitrary requests to an affected device via the Device Manager web interface and with the privileges of the user. Cisco Bug IDs: CSCvc88811.
CVE-2017-6659 1 Cisco 1 Prime Collaboration Assurance 2025-04-20 N/A
A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. More Information: CSCvc91800. Known Affected Releases: 11.5(0) 11.6.
CVE-2017-7447 1 Helpdezk 1 Helpdezk 2025-04-20 N/A
HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote execution of arbitrary PHP code.
CVE-2017-6756 1 Cisco 1 Prime Collaboration Provisioning 2025-04-20 N/A
A vulnerability in the Web UI Application of the Cisco Prime Collaboration Provisioning Tool through 12.2 could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of defense against cross-site request forgery (CSRF) attacks. An attacker could exploit this vulnerability by forcing the user's browser to perform any action authorized for that user. Cisco Bug IDs: CSCvc90280.
CVE-2017-6803 1 Solarwinds 1 Ftp Voyager 2025-04-20 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the scheduler, or (3) possibly execute arbitrary commands via crafted requests to Admin/XML/Result.xml.
CVE-2017-6819 1 Wordpress 1 Wordpress 2025-04-20 N/A
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.
CVE-2017-7446 1 Helpdezk 1 Helpdezk 2025-04-20 N/A
HelpDEZk 1.1.1 has CSRF in admin/home#/person/ with an impact of obtaining admin privileges.
CVE-2017-7398 2 D-link, Dlink 2 Dir-615 Firmware, Dir-615 2025-04-20 N/A
D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability. This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated, as demonstrated by changing the Security option from WPA2 to None, or changing the hiddenSSID parameter, SSID parameter, or a security-option password.
CVE-2017-7404 1 Dlink 1 Dir-615 2025-04-20 8.8 High
On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the Router's Web Interface visits a malicious site from another Browser tab, the malicious site then can send requests to the victim's Router without knowing the credentials (CSRF). An attacker can host a page that sends a POST request to Form2File.htm that tries to upload Firmware to victim's Router. This causes the router to reboot/crash resulting in Denial of Service. An attacker may succeed in uploading malicious Firmware.
CVE-2017-7423 1 Microfocus 2 Enterprise Developer, Enterprise Server 2025-04-20 N/A
A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in Micro Focus Enterprise Developer and Enterprise Server 2.3, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to forge requests, if this component is configured. This includes creating new privileged credentials, resulting in privilege elevation (CWE-275). Note esfadmingui is not enabled by default.
CVE-2017-7431 2 Netiq, Novell 2 Imanager, Imanager 2025-04-20 N/A
Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have persistent CSRF in object management.
CVE-2017-7556 1 Hawt 1 Hawtio 2025-04-20 N/A
Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user.