Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-11350 | 1 Axesstel | 2 Mu553s, Mu553s Firmware | 2024-11-21 | N/A |
| Cross-Site Request Forgery (CSRF) exists in cgi-bin/ConfigSet on Axesstel MU553S MU55XS-V1.14 devices. | ||||
| CVE-2017-11196 | 1 Pulsesecure | 1 Pulse Connect Secure | 2024-11-21 | N/A |
| Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function of the admin panel is not protected by any CSRF tokens, thus allowing an attacker to logout a user by making them visit a malicious web page. | ||||
| CVE-2017-11193 | 1 Pulsesecure | 1 Pulse Connect Secure | 2024-11-21 | N/A |
| Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the diag.cgi file is responsible for running commands such as ping, ping6, traceroute, traceroute6, nslookup, arp, and Portprobe. These functions do not have any protections against CSRF. That can allow an attacker to run these commands against any IP if they can get an admin to visit their malicious CSRF page. | ||||
| CVE-2017-10961 | 1 Vanderbilt | 1 Redcap | 2024-11-21 | N/A |
| REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components. | ||||
| CVE-2017-10681 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request. | ||||
| CVE-2017-10680 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request. | ||||
| CVE-2017-10678 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request. | ||||
| CVE-2017-10677 | 1 Linksys | 2 Ea4500, Ea4500 Firmware | 2024-11-21 | N/A |
| Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices with Firmware Version before 2.1.41.164606, as demonstrated by a request to apply.cgi to disable SIP. | ||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | ||||
| CVE-2017-1000499 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | N/A |
| phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. | ||||
| CVE-2017-1000479 | 2 Netgate, Opnsense Project | 2 Pfsense, Opnsense | 2024-11-21 | N/A |
| pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions. | ||||
| CVE-2017-1000432 | 1 Vanillaforums | 1 Vanilla Forums | 2024-11-21 | N/A |
| Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access | ||||
| CVE-2017-1000356 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts. | ||||
| CVE-2017-1000244 | 1 Jenkins | 1 Favorite | 2024-11-21 | N/A |
| Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification | ||||
| CVE-2017-1000224 | 1 Embedplus | 1 Youtube | 2024-11-21 | N/A |
| CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin | ||||
| CVE-2017-1000147 | 1 Mahara | 1 Mahara | 2024-11-21 | N/A |
| Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account. | ||||
| CVE-2017-1000093 | 1 Jenkins | 1 Poll Scm | 2024-11-21 | N/A |
| Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. | ||||
| CVE-2017-1000092 | 2 Jenkins, Redhat | 2 Git, Openshift | 2024-11-21 | N/A |
| Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. | ||||
| CVE-2017-1000091 | 1 Jenkins | 1 Github Branch Source | 2024-11-21 | N/A |
| GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery. | ||||
| CVE-2017-1000090 | 1 Jenkins | 1 Role-based Authorization Strategy | 2024-11-21 | N/A |
| Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. | ||||