| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The wp-customer-reviews plugin before 3.0.9 for WordPress has CSRF in the admin tools. |
| The wp-editor plugin before 1.2.6 for WordPress has CSRF. |
| The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues. |
| The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users. |
| The google-document-embedder plugin before 2.6.2 for WordPress has CSRF. |
| The wp-database-backup plugin before 4.3.1 for WordPress has CSRF. |
| The wp-database-backup plugin before 4.3.3 for WordPress has CSRF. |
| The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS. |
| Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with resultant PSK key disclosure. |
| Neet AirStream NAS1.1 devices have a password of ifconfig for the root account. This cannot be changed via the configuration page. |
| Neet AirStream NAS1.1 devices allow CSRF attacks that cause the settings binary to change the AP name and password. |
| cPanel before 55.9999.141 allows account-suspension bypass via ftp (SEC-105). |
| cPanel before 55.9999.141 allows attackers to bypass a Security Policy by faking static documents (SEC-92). |
| edx-platform before 2016-06-06 allows CSRF. |
| In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php. |
| Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files, and then modules/upload/upload_main.php can be used for the upload itself. |
| Zenbership v107 has CSRF via admin/cp-functions/event-add.php. |
| Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others. |
| rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem. |
| Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813. |
