Total
7523 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000669 | 1 Koha | 1 Koha | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11. | |||||
| CVE-2018-1000514 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. | |||||
| CVE-2018-1000507 | 1 Jjj | 1 Wp User Groups | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been fixed in 2.1.1. | |||||
| CVE-2018-1000506 | 1 Mediaron | 1 Metronet Tag Manager | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Metronet Tag Manager version 1.2.7 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page /wp-admin/options-general.php?page=metronet-tag-manager that can result in allows anybody to do almost anything an admin can. This attack appear to be exploitable via Logged in user must follow a link. This vulnerability appears to have been fixed in 1.2.9. | |||||
| CVE-2018-1000505 | 1 Tooltipy | 1 Tooltipy | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been fixed in 5.1. | |||||
| CVE-2018-1000417 | 1 Jenkins | 1 Email Extension Template | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates. | |||||
| CVE-2018-1000414 | 1 Jenkins | 1 Config File Provider | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions. | |||||
| CVE-2018-1000411 | 1 Jenkins | 1 Junit | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. | |||||
| CVE-2018-1000206 | 1 Jfrog | 1 Artifactory | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1. | |||||
| CVE-2018-1000195 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. | |||||
| CVE-2018-1000153 | 1 Jenkins | 1 Vsphere | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). | |||||
| CVE-2018-1000137 | 1 I-librarian | 1 I Librarian | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. | |||||
| CVE-2018-1000093 | 1 Cryptonote | 1 Cryptonote | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the cryptocurrency wallet if an attacker can trick an application such as a web browser into connecting and sending a command for example. This attack appears to be exploitable via a victim visiting a webpage hosting malicious content that trigger such behavior. | |||||
| CVE-2018-1000092 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6. | |||||
| CVE-2018-1000086 | 1 Npr | 1 Pym.js | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later. | |||||
| CVE-2018-1000082 | 1 Ajenti | 1 Ajenti | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed.. | |||||
| CVE-2018-1000053 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. | |||||
| CVE-2018-1000014 | 1 Jenkins | 1 Translation Assistance | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. | |||||
| CVE-2018-1000013 | 1 Jenkins | 1 Release | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. | |||||
| CVE-2018-0785 | 1 Microsoft | 1 Asp.net Core | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability". | |||||