CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010112 352 CSRF 2019-07-18 2019-07-22
6.8
None Remote Medium Not required Partial Partial Partial
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed version is: v4.3.
2 CVE-2019-1010096 352 CSRF 2019-07-18 2019-10-30
6.8
None Remote Medium Not required Partial Partial Partial
DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.
3 CVE-2019-1010095 352 CSRF 2019-07-18 2019-10-30
6.8
None Remote Medium Not required Partial Partial Partial
DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: admin/users/add.php. The attack vector is: After the administrator logged in, open the html page.
4 CVE-2019-1010094 352 CSRF 2019-07-18 2019-07-19
6.8
None Remote Medium Not required Partial Partial Partial
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.
5 CVE-2019-1010054 352 CSRF 2019-07-18 2019-07-19
6.8
None Remote Medium Not required Partial Partial Partial
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
6 CVE-2019-1003098 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
7 CVE-2019-1003092 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
8 CVE-2019-1003090 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
9 CVE-2019-1003086 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
10 CVE-2019-1003084 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
11 CVE-2019-1003082 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
12 CVE-2019-1003080 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.
13 CVE-2019-1003078 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
14 CVE-2019-1003076 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
15 CVE-2019-1003058 352 CSRF 2019-04-04 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.
16 CVE-2019-1003046 352 CSRF 2019-03-28 2020-06-23
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.
17 CVE-2019-1003044 352 CSRF 2019-03-28 2020-06-23
2.1
None Remote High ??? Partial None None
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
18 CVE-2019-1003012 352 Bypass CSRF 2019-02-06 2019-10-09
4.3
None Remote Medium Not required None Partial None
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
19 CVE-2019-1003010 352 CSRF 2019-02-06 2019-04-26
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
20 CVE-2019-1003008 352 Exec Code CSRF 2019-02-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
21 CVE-2019-1003007 352 Exec Code CSRF 2019-02-06 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.
22 CVE-2019-1000022 352 CSRF 2019-02-04 2019-02-20
6.8
None Remote Medium Not required Partial Partial Partial
Taoensso Sente version Prior to version 1.14.0 contains a Cross Site Request Forgery (CSRF) vulnerability in WebSocket handshake endpoint that can result in CSRF attack, possible leak of anti-CSRF token. This attack appears to be exploitable via malicious request against WebSocket handshake endpoint. This vulnerability appears to have been fixed in 1.14.0 and later.
23 CVE-2019-1000003 352 CSRF 2019-02-04 2019-02-15
6.8
None Remote Medium Not required Partial Partial Partial
MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later.
24 CVE-2019-20071 352 CSRF 2019-12-30 2020-01-02
5.8
None Remote Medium Not required None Partial Partial
On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.
25 CVE-2019-19995 352 CSRF 2019-12-26 2020-01-15
9.3
None Remote Medium Not required Complete Complete Complete
A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user.
26 CVE-2019-19981 352 CSRF 2019-12-26 2020-08-24
4.3
None Remote Medium Not required None Partial None
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings.
27 CVE-2019-19979 352 XSS CSRF 2019-12-26 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. There was CSRF with resultant XSS.
28 CVE-2019-19915 352 XSS CSRF 2019-12-19 2020-08-24
6.0
None Remote Medium ??? Partial Partial Partial
The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or greater access) to modify, delete, or inject redirect rules, and exploit XSS, with the /admin-ajax.php?action=eps_redirect_save and /admin-ajax.php?action=eps_redirect_delete actions. This could result in a loss of site availability, malicious redirects, and user infections. This could also be exploited via CSRF.
29 CVE-2019-19833 352 CSRF 2019-12-18 2020-01-16
4.3
None Remote Medium Not required None None Partial
In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).
30 CVE-2019-19832 352 CSRF 2019-12-18 2019-12-23
6.8
None Remote Medium Not required Partial Partial Partial
Xerox AltaLink C8035 printers allow CSRF. A request to add users is made in the Device User Database form field to the xerox.set URI. (The frmUserName value must have a unique name.)
31 CVE-2019-19737 352 CSRF 2019-12-30 2020-01-07
6.8
None Remote Medium Not required Partial Partial Partial
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks.
32 CVE-2019-19685 352 CSRF 2019-12-09 2019-12-17
6.8
None Remote Medium Not required Partial Partial Partial
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
33 CVE-2019-19516 352 CSRF 2019-12-02 2019-12-13
4.3
None Remote Medium Not required None Partial None
Intelbras WRN 150 1.0.18 devices allow CSRF via GO=system_password.asp to the goform/SysToolChangePwd URI to change a password.
34 CVE-2019-19469 352 CSRF 2019-12-01 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials.
35 CVE-2019-19375 352 CSRF 2019-11-28 2020-08-24
4.3
None Remote Medium Not required Partial None None
In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
36 CVE-2019-19013 352 CSRF 2019-11-22 2019-11-27
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request.
37 CVE-2019-18884 352 CSRF 2019-11-13 2019-11-19
6.8
None Remote Medium Not required Partial Partial Partial
index.php/team_members/add_team_member in RISE Ultimate Project Manager 2.3 has CSRF for adding authorized users.
38 CVE-2019-18651 352 Exec Code CSRF 2019-11-14 2019-11-20
5.8
None Remote Medium Not required None Partial Partial
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document or encoded URL to a user that the website trusts. The user needs to have an active privileged session.
39 CVE-2019-18650 352 CSRF 2019-11-06 2019-11-06
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.13. A missing token check in com_template causes a CSRF vulnerability.
40 CVE-2019-18414 352 CSRF 2019-10-24 2019-10-28
6.8
None Remote Medium Not required Partial Partial Partial
Sourcecodester Restaurant Management System 1.0 is affected by an admin/staff-exec.php Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code or adding a staff entry via a crafted HTML page.
41 CVE-2019-18411 352 CSRF 2019-11-06 2019-11-08
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.
42 CVE-2019-18346 352 CSRF 2019-12-04 2019-12-14
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.
43 CVE-2019-18280 352 CSRF 2019-10-23 2020-09-03
6.8
None Remote Medium Not required Partial Partial Partial
Sourcecodester Online Grading System 1.0 is affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code via a crafted HTML page, as demonstrated by a Create User action at the admin/modules/user/controller.php?action=add URI.
44 CVE-2019-18267 79 Exec Code XSS CSRF 2019-12-18 2020-01-07
3.5
None Remote Medium ??? None Partial None
An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution.
45 CVE-2019-18220 352 CSRF 2019-10-23 2019-10-24
6.8
None Remote Medium Not required Partial Partial Partial
Sitemagic CMS 4.4.1 is affected by a Cross-Site-Request-Forgery (CSRF) issue as it doesn't implement any method to validate incoming requests, allowing the execution of critical functionalities via spoofed requests. This behavior could be abused by a remote unauthenticated attacker to trick Sitemagic users into performing unwarranted actions.
46 CVE-2019-18206 352 CSRF 2019-10-30 2019-11-05
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBusiness before and including 4.4.1 allows arbitrary file upload.
47 CVE-2019-17676 352 CSRF 2019-10-17 2019-10-21
6.8
None Remote Medium Not required Partial Partial Partial
app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.
48 CVE-2019-17675 352 CSRF 2019-10-17 2019-11-05
6.8
None Remote Medium Not required Partial Partial Partial
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
49 CVE-2019-17613 94 Exec Code CSRF 2019-10-15 2019-10-18
7.5
None Remote Low Not required Partial Partial Partial
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter.
50 CVE-2019-17593 352 CSRF 2019-10-14 2019-10-16
6.8
None Remote Medium Not required Partial Partial Partial
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
Total number of vulnerabilities : 535   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.