Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters.
CVE ID | Name | Status | References |
---|---|---|---|
CVE-2002-1648 | Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters. |
Assigned (20050328) | BID:3956 | URL:http://www.securityfocus.com/bid/3956 | BUGTRAQ:20020124 Vulnerabilities in squirrelmail | URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0310.html | CERT-VN:VU#153043 | URL:http://www.kb.cert.org/vuls/id/153043 | XF:squirrelmail-html-execute-script(7989) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7989 |
CVE-2002-2426 | Cross-site request forgery (CSRF) vulnerability in Citrix Presentation Server 4.0 and 4.5, MetaFrame Presentation Server 3.0, and Access Essentials 1.0 through 2.0 allows remote attackers to execute arbitrary published applications, and possibly other programs, as authenticated users via the InitialProgram key in an ICA connection. NOTE: some of these details are obtained from third party information. |
Assigned (20071119) | BID:26451 | URL:http://www.securityfocus.com/bid/26451 | CONFIRM:http://support.citrix.com/article/CTX115245 | MISC:http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt | MISC:http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/ | SECTRACK:1018962 | URL:http://www.securitytracker.com/id?1018962 | SECUNIA:27633 | URL:http://secunia.com/advisories/27633 | VUPEN:ADV-2007-3870 | URL:http://www.vupen.com/english/advisories/2007/3870 |
CVE-2004-1842 | Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php. |
Assigned (20050504) | BID:9895 | URL:http://www.securityfocus.com/bid/9895 | BUGTRAQ:20040322 [waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0] | URL:http://marc.info/?l=bugtraq&m=108006309112075&w=2 | SECUNIA:11195 | URL:http://secunia.com/advisories/11195 | XF:phpnuke-img-gain-privileges(15596) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/15596 |
CVE-2004-1967 | Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link. |
Assigned (20050504) | BUGTRAQ:20040425 Multiple Vulnerabilities In OpenBB | URL:http://marc.info/?l=bugtraq&m=108301983206107&w=2 | SECTRACK:1009935 | URL:http://securitytracker.com/id?1009935 | SECUNIA:11481 | URL:http://secunia.com/advisories/11481 | XF:openbb-tags-execute-code(15967) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/15967 |
CVE-2004-1995 | Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm. |
Assigned (20050504) | BID:10276 | URL:http://www.securityfocus.com/bid/10276 | BUGTRAQ:20040505 Fuse Talk Vunerabilities | URL:http://marc.info/?l=bugtraq&m=108377423825478&w=2 | OSVDB:5895 | URL:http://www.osvdb.org/5895 | SECTRACK:1010080 | URL:http://securitytracker.com/id?1010080 | SECUNIA:11555 | URL:http://secunia.com/advisories/11555 | XF:fusetalk-get-add-users(16080) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/16080 |
CVE-2004-2364 | Cross-site request forgery (CSRF) vulnerability in PHPX 3.0 through 3.2.6 allows remote attackers to execute arbitrary commands via URLs that are automatically executed on behalf of the administrator, as demonstrated using (1) admin/page.php, (2) admin/news.php, (3) admin/user.php, (4) admin/images.php, (5) admin/page.php, or (6) admin/forums.php. |
Assigned (20050816) | BID:10284 | URL:http://www.securityfocus.com/bid/10284 | BUGTRAQ:20040504 Vulnerabilities In PHPX 3.26 And Earlier | URL:http://www.securityfocus.com/archive/1/362230 | MISC:http://www.phpx.org/project.php?action=view&project_id=1 | OSVDB:5907 | URL:http://www.osvdb.org/5907 | OSVDB:5908 | URL:http://www.osvdb.org/5908 | OSVDB:5909 | URL:http://www.osvdb.org/5909 | OSVDB:5910 | URL:http://www.osvdb.org/5910 | OSVDB:5911 | URL:http://www.osvdb.org/5911 | SECTRACK:1010061 | URL:http://securitytracker.com/id?1010061 | SECUNIA:11554 | URL:http://secunia.com/advisories/11554 |
CVE-2004-2403 | Cross-site request forgery (CSRF) vulnerability in YaBB 1 GOLD SP 1.3.2 allows remote attackers to perform unauthorized actions as the administrative user via a link or IMG tag to YaBB.pl that specifies the desired action, id, and moda parameters. |
Assigned (20050817) | BID:11214 | URL:http://www.securityfocus.com/bid/11214 | BUGTRAQ:20040916 RE: www.proboards.com / YaBB XSS Vuln | URL:http://archives.neohapsis.com/archives/bugtraq/2004-09/0227.html | OSVDB:10243 | URL:http://www.osvdb.org/10243 | SECUNIA:12593 | URL:http://secunia.com/advisories/12593 | XF:yabb-administrative-bypass(17453) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/17453 |
CVE-2005-0535 | Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to perform unauthorized actions as authenticated MediaWiki users. |
Assigned (20050224) | CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=307067 | GENTOO:GLSA-200502-33 | URL:http://www.gentoo.org/security/en/glsa/glsa-200502-33.xml | SECTRACK:1013260 | URL:http://securitytracker.com/id?1013260 | SECUNIA:14360 | URL:http://secunia.com/advisories/14360 |
CVE-2005-1674 | Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php. |
Assigned (20050519) | BUGTRAQ:20050517 Help Center Live Vulnerabilities | URL:http://www.securityfocus.com/archive/1/398457/2005-05-15/2005-05-21/0 | MISC:http://www.gulftech.org/?node=research&article_id=00076-05172005 |
CVE-2005-1947 | Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions. |
Assigned (20050614) | BUGTRAQ:20050609 Invision Gallery Vulnerabilities | URL:http://marc.info/?l=bugtraq&m=111834146710329&w=2 | MISC:http://www.gulftech.org/?node=research&article_id=00079-06092005 |
CVE-2005-2059 | Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag. |
Assigned (20050629) | BUGTRAQ:20050624 Infopop UBB Threads Multiple Vulnerabilities | URL:http://marc.info/?l=bugtraq&m=111963737202040&w=2 | MISC:http://www.gulftech.org/?node=research&article_id=00084-06232005 | MISC:http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351 |
CVE-2005-2411 | Cross-Site Request Forgery (CSRF) vulnerability in tDiary 2.1.1, and tDiary 2.0.1 and earlier, allows remote attackers to conduct actions as another user, and execute commands on the server, via a URL that is activated by the user. |
Assigned (20050801) | BID:14500 | URL:http://www.securityfocus.com/bid/14500 | CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=482743 | DEBIAN:DSA-808 | URL:http://www.debian.org/security/2005/dsa-808 | OSVDB:18604 | URL:http://www.osvdb.org/18604 | SECUNIA:16329 | URL:http://secunia.com/advisories/16329 | SECUNIA:16787 | URL:http://secunia.com/advisories/16787 | XF:tdiary-xs-request-forgery(21735) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/21735 |
CVE-2005-3129 | Cross-site request forgery (CSRF) vulnerability in Serendipity 0.8.4 and earlier allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag to serendipity_admin.php. |
Assigned (20051004) | BUGTRAQ:20050929 Serendipity: Account Hijacking / CSRF Vulnerability | URL:http://marc.info/?l=bugtraq&m=112801570631203&w=2 | FULLDISC:20050929 Serendipity: Account Hijacking / CSRF Vulnerability | URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037580.html | SECUNIA:17011 | URL:http://secunia.com/advisories/17011/ | XF:serendipity-xs-request-forgery(22456) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/22456 |
CVE-2005-3618 | Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server 2.0.x before 2.0.2 patch 1, 2.1.x before 2.1.3 patch 1, and 2.x before 2.5.3 patch 2 allows allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsr operation to change a password. NOTE: this issue can be leveraged with CVE-2005-3619 to automatically perform the attacks. |
Assigned (20051116) | BUGTRAQ:20060731 Corsaire Security Advisory - VMware ESX Server Password Cross Site Request Forgery issue | URL:http://www.securityfocus.com/archive/1/441726/100/100/threaded | BUGTRAQ:20060801 VMSA-2006-0004 Cross site scripting vulnerability and other fixes | URL:http://www.securityfocus.com/archive/1/441825/100/100/threaded | CONFIRM:http://kb.vmware.com/kb/2118366 | MISC:http://www.corsaire.com/advisories/c051114-001.txt | SECTRACK:1016612 | URL:http://securitytracker.com/id?1016612 | SECUNIA:21230 | URL:http://secunia.com/advisories/21230 | VUPEN:ADV-2006-3075 | URL:http://www.vupen.com/english/advisories/2006/3075 |
CVE-2005-4349 | ** DISPUTED ** SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450. |
Assigned (20051219) | BUGTRAQ:20051217 phpMyAdmin server_privileges.php SQL Injection Vulnerabilities. | URL:http://marc.info/?l=bugtraq&m=113486637512821&w=2 | BUGTRAQ:20051219 Re: phpMyAdmin server_privileges.php SQL Injection Vulnerabilities. | URL:http://www.securityfocus.com/archive/1/419829/100/0/threaded | BUGTRAQ:20051219 about phpMyAdmin's server_privileges.php announced vulnerability | URL:http://www.securityfocus.com/archive/1/419832/100/0/threaded | SECUNIA:18113 | URL:http://secunia.com/advisories/18113 | SREASON:270 | URL:http://securityreason.com/securityalert/270 | VUPEN:ADV-2005-2995 | URL:http://www.vupen.com/english/advisories/2005/2995 |
CVE-2005-4450 | Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag to server_privileges.php, as demonstrated using the dbname and checkprivs parameters. NOTE: the provenance of this issue is unknown, although third parties imply that it is related to the disclosure of CVE-2005-4349, which was labeled as SQL injection but disputed. |
Assigned (20051221) | SECUNIA:18113 | URL:http://secunia.com/advisories/18113 |
CVE-2005-4800 | Direct static code injection vulnerability in Yet Another PHP Image Gallery (YaPIG) 0.95b and earlier allows remote authenticated administrators to inject arbitrary PHP code via the TestGallery parameter in a mod_info action to modify_gallery.php, which inserts the code into guid_info.php. NOTE: this issue is easier to exploit due to a separate CSRF vulnerability. |
Assigned (20060515) | BUGTRAQ:20051013 Yapig: XSS / Code Injection Vulnerability | URL:http://archives.neohapsis.com/archives/bugtraq/2005-10/0161.html | MISC:http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt | OSVDB:19960 | URL:http://www.osvdb.org/19960 | SECUNIA:17041 | URL:http://secunia.com/advisories/17041 | XF:yapig-http-post-privilege-escalation(22753) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/22753 |
CVE-2005-4801 | Multiple cross-site request forgery (CSRF) vulnerabilities in Yet Another PHP Image Gallery (YaPIG) 0.95b and earlier allow remote attackers to perform unauthorized actions as a logged-in user, as demonstrated by tricking the administrator to access a web page that performs a mod_info action in modify_gallery.php. |
Assigned (20060515) | BUGTRAQ:20051013 Yapig: XSS / Code Injection Vulnerability | URL:http://archives.neohapsis.com/archives/bugtraq/2005-10/0161.html | MISC:http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt | SECUNIA:17041 | URL:http://secunia.com/advisories/17041 | SREASON:79 | URL:http://securityreason.com/securityalert/79 | XF:yapig-http-post-privilege-escalation(22753) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/22753 |
CVE-2006-0438 | Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php. |
Assigned (20060126) | FULLDISC:20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin | URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041920.html | OSVDB:22929 | URL:http://www.osvdb.org/22929 | SECUNIA:18693 | URL:http://secunia.com/advisories/18693 | SREASON:406 | URL:http://securityreason.com/securityalert/406 | SREASONRES:20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin | URL:http://securityreason.com/achievement_securityalert/31 | VUPEN:ADV-2006-0445 | URL:http://www.vupen.com/english/advisories/2006/0445 | XF:phpbb-referer-header-http-xss(24497) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/24497 |
CVE-2006-2495 | Cross-site request forgery (CSRF) vulnerability in the Entry Manager in Serendipity before 1.0-beta3 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag. |
Assigned (20060519) | CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=414920&group_id=75065 | SECUNIA:20155 | URL:http://secunia.com/advisories/20155 | VUPEN:ADV-2006-1855 | URL:http://www.vupen.com/english/advisories/2006/1855 |
CVE-2006-3272 | Cross-site request forgery (CSRF) vulnerability in menu.php in Some Chess 1.5 rc2 allows remote attackers to conduct actions as another user, such as changing usernames and passwords, via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
Assigned (20060628) | SECUNIA:20770 | URL:http://secunia.com/advisories/20770 | XF:somechess-menu-xss(27307) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/27307 |
CVE-2006-3420 | Cross-site request forgery (CSRF) vulnerability in editpost.php in MyBulletinBoard (MyBB) before 1.1.5 allows remote attackers to perform unauthorized actions as a logged in user and delete arbitrary forum posts via a bbcode IMG tag with a modified delete parameter in a deletepost action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
Assigned (20060706) | OSVDB:26807 | URL:http://www.osvdb.org/26807 | SECUNIA:20659 | URL:http://secunia.com/advisories/20659 | XF:mybb-editpost-xsrf(27682) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/27682 |
CVE-2006-3479 | Cross-site request forgery (CSRF) vulnerability in the del_block function in modules/Admin/block.php in Nuked-Klan 1.7.5 and earlier and 1.7 SP4.2 allows remote attackers to delete arbitrary "blocks" via a link with a modified bid parameter in a del_block op on the block page in index.php. |
Assigned (20060710) | BUGTRAQ:20060629 CSRF in Nuked Klan 1.7 SP4.2 | URL:http://www.securityfocus.com/archive/1/438703 | SECUNIA:20898 | URL:http://secunia.com/advisories/20898 | SREASON:1205 | URL:http://securityreason.com/securityalert/1205 | VUPEN:ADV-2006-2615 | URL:http://www.vupen.com/english/advisories/2006/2615 | XF:nukedklan-delblock-csrf(27490) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/27490 |
CVE-2006-3671 | Cross-site request forgery (CSRF) vulnerability in the communicate function in estmaster.c for Hyper Estraier before 1.3.3 allows remote attackers to perform unauthorized actions as other users via unknown vectors. |
Assigned (20060717) | CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=432119 | SECUNIA:21049 | URL:http://secunia.com/advisories/21049 | VUPEN:ADV-2006-2827 | URL:http://www.vupen.com/english/advisories/2006/2827 |
CVE-2006-3829 | Cross-site request forgery (CSRF) vulnerability in bmc/admin.php in Kailash Nadh boastMachine (formerly bMachine) 3.1 and earlier allows remote attackers to perform unauthorized actions as an administrator and delete arbitrary user accounts via a delete_user action. |
Assigned (20060724) | BUGTRAQ:20060717 boastMachine <= 3.1 SQL Injection Exploit | URL:http://www.securityfocus.com/archive/1/440306/100/0/threaded | MISC:http://www.acid-root.new.fr/advisories/boastmachine.txt | SECTRACK:1016515 | URL:http://securitytracker.com/id?1016515 | SECUNIA:21066 | URL:http://secunia.com/advisories/21066 | SREASON:1252 | URL:http://securityreason.com/securityalert/1252 |
CVE-2006-4582 | Cross-site request forgery (CSRF) vulnerability in The Address Book 1.04e allows remote attackers to perform unauthorized actions as other users via unspecified vectors, as demonstrated by deleting arbitrary users via the id parameter in a deleteuser action in users.php. |
Assigned (20060906) | MISC:http://secunia.com/secunia_research/2006-76/advisory/ | OSVDB:32559 | URL:http://osvdb.org/32559 | SECUNIA:21694 | URL:http://secunia.com/advisories/21694 | XF:theaddressbook-users-csrf(31251) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31251 |
CVE-2006-4659 | The Panda Platinum Internet Security 2006 10.02.01 and 2007 11.00.00 uses predictable URLs for the spam classification of each message, which allows remote attackers to cause Panda to classify arbitrary messages as spam via a web page that contains IMG tags with the predictable URLs. NOTE: this issue could also be regarded as a cross-site request forgery (CSRF) vulnerability. |
Assigned (20060908) | BID:19891 | URL:http://www.securityfocus.com/bid/19891 | BUGTRAQ:20060907 SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities | URL:http://www.securityfocus.com/archive/1/445479/100/0/threaded | MISC:http://www.security.nnov.ru/advisories/pandais.asp | SECUNIA:21769 | URL:http://secunia.com/advisories/21769 | SREASON:1524 | URL:http://securityreason.com/securityalert/1524 |
CVE-2006-5116 | Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php. NOTE: the PHP unset function vector is covered by CVE-2006-3017. |
Assigned (20061002) | BID:20253 | URL:http://www.securityfocus.com/bid/20253 | BUGTRAQ:20061001 Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities | URL:http://www.securityfocus.com/archive/1/447491/100/0/threaded | CONFIRM:http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download | CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5 | DEBIAN:DSA-1207 | URL:http://www.debian.org/security/2006/dsa-1207 | MISC:http://www.hardened-php.net/advisory_072006.130.html | SECUNIA:22126 | URL:http://secunia.com/advisories/22126 | SECUNIA:22781 | URL:http://secunia.com/advisories/22781 | SECUNIA:23086 | URL:http://secunia.com/advisories/23086 | SREASON:1677 | URL:http://securityreason.com/securityalert/1677 | SUSE:SUSE-SA:2006:071 | URL:http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html | VIM:20061003 Concerning CSRF in phpMyAdmin 2.9.0.1 (CVE-2006-5116) | URL:http://attrition.org/pipermail/vim/2006-October/001067.html | XF:phpmyadmin-multiple-csrf(29301) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29301 |
CVE-2006-5175 | Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors. |
Assigned (20061005) | JVN:JVN#93484133 | URL:http://jvn.jp/jp/JVN%2393484133/index.html | SECUNIA:22248 | URL:http://secunia.com/advisories/22248 | VUPEN:ADV-2006-3891 | URL:http://www.vupen.com/english/advisories/2006/3891 | XF:terastation-admin-interface-csrf(29338) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29338 |
CVE-2006-5204 | Cross-site scripting (XSS) vulnerability in action_admin/member.php in Invision Power Board (IPB) 2.1.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a reference to a script in the avatar setting, which can be leveraged for a cross-site request forgery (CSRF) attack involving forced SQL execution by an admin. |
Assigned (20061009) | BUGTRAQ:20061004 Invision Power Board Multiple Vulnerabilities | URL:http://www.securityfocus.com/archive/1/447710/100/0/threaded | CONFIRM:http://forums.invisionpower.com/index.php?showtopic=227937 | SECUNIA:22272 | URL:http://secunia.com/advisories/22272 | VUPEN:ADV-2006-3927 | URL:http://www.vupen.com/english/advisories/2006/3927 | XF:ipb-avatar-image-xss(29351) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29351 |
CVE-2006-5455 | Cross-site request forgery (CSRF) vulnerability in editversions.cgi in Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL. |
Assigned (20061023) | BID:20538 | URL:http://www.securityfocus.com/bid/20538 | BUGTRAQ:20061015 Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2 | URL:http://www.securityfocus.com/archive/1/448777/100/100/threaded | CONFIRM:http://www.bugzilla.org/security/2.18.5/ | CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=281181 | GENTOO:GLSA-200611-04 | URL:http://security.gentoo.org/glsa/glsa-200611-04.xml | OSVDB:29548 | URL:http://www.osvdb.org/29548 | SECUNIA:22409 | URL:http://secunia.com/advisories/22409 | SECUNIA:22790 | URL:http://secunia.com/advisories/22790 | SREASON:1760 | URL:http://securityreason.com/securityalert/1760 | VUPEN:ADV-2006-4035 | URL:http://www.vupen.com/english/advisories/2006/4035 | XF:bugzilla-url-modify-configuration(29618) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29618 |
CVE-2006-5476 | Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors. |
Assigned (20061024) | BUGTRAQ:20061019 [DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue | URL:http://www.securityfocus.com/archive/1/449199/100/0/threaded | CONFIRM:http://drupal.org/node/88828 | OPENPKG:OpenPKG-SA-2006.025-drupal | URL:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.025-drupal.html | SECUNIA:22486 | URL:http://secunia.com/advisories/22486 | SREASON:1765 | URL:http://securityreason.com/securityalert/1765 | VUPEN:ADV-2006-4120 | URL:http://www.vupen.com/english/advisories/2006/4120 | XF:drupal-unspecified-csrf(29679) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29679 |
CVE-2006-5878 | Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors. |
Assigned (20061114) | CONFIRM:http://trac.edgewall.org/wiki/ChangeLog | DEBIAN:DSA-1209 | URL:http://www.debian.org/security/2006/dsa-1209 | GENTOO:GLSA-200612-14 | URL:http://security.gentoo.org/glsa/glsa-200612-14.xml | MISC:http://trac.edgewall.org/ticket/4049 | SECUNIA:22789 | URL:http://secunia.com/advisories/22789 | SECUNIA:22868 | URL:http://secunia.com/advisories/22868 | SECUNIA:23357 | URL:http://secunia.com/advisories/23357 | VUPEN:ADV-2006-4422 | URL:http://www.vupen.com/english/advisories/2006/4422 | XF:trac-unspecified-csrf(30146) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/30146 |
CVE-2006-6508 | Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as an arbitrary user via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
Assigned (20061213) | DEBIAN:DSA-1488 | URL:http://www.debian.org/security/2008/dsa-1488 | SECUNIA:23283 | URL:http://secunia.com/advisories/23283 | SECUNIA:28871 | URL:http://secunia.com/advisories/28871 | XF:phpbb-message-csrf(30786) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/30786 |
CVE-2006-6701 | Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail. |
Assigned (20061222) | BUGTRAQ:20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery] | URL:http://www.securityfocus.com/archive/1/458109/100/100/threaded | CONFIRM:http://terra.calacode.com/mail/docs/changelog.html | FULLDISC:20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery] | URL:http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html | MISC:http://www.netragard.com/html/recent_research.html | MISC:http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt | SECTRACK:1017435 | URL:http://securitytracker.com/id?1017435 | SECUNIA:23472 | URL:http://secunia.com/advisories/23472 | SECUNIA:25328 | URL:http://secunia.com/advisories/25328 | VUPEN:ADV-2007-1864 | URL:http://www.vupen.com/english/advisories/2007/1864 | XF:@mail-unspecified-csrf(31259) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31259 |
CVE-2006-6741 | Cross-site request forgery (CSRF) vulnerability in urlobox in MKPortal allows remote attackers to delete arbitrary messages as an administrator via a delete operation in an img BBcode tag. |
Assigned (20061226) | BUGTRAQ:20061219 MkPortal Urlobox Cross Site Request Forgery | URL:http://www.securityfocus.com/archive/1/454868/100/0/threaded | SECUNIA:23431 | URL:http://secunia.com/advisories/23431 | VUPEN:ADV-2006-5115 | URL:http://www.vupen.com/english/advisories/2006/5115 |
CVE-2007-0044 | Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding." |
Assigned (20070103) | BID:21858 | URL:http://www.securityfocus.com/bid/21858 | BUGTRAQ:20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities | URL:http://www.securityfocus.com/archive/1/455801/100/0/threaded | GENTOO:GLSA-200701-16 | URL:http://security.gentoo.org/glsa/glsa-200701-16.xml | MISC:http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf | MISC:http://www.wisec.it/vulns.php?page=9 | OVAL:oval:org.mitre.oval:def:10042 | URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10042 | REDHAT:RHSA-2008:0144 | URL:http://www.redhat.com/support/errata/RHSA-2008-0144.html | SECTRACK:1017469 | URL:http://securitytracker.com/id?1017469 | SECUNIA:23812 | URL:http://secunia.com/advisories/23812 | SECUNIA:23882 | URL:http://secunia.com/advisories/23882 | SECUNIA:29065 | URL:http://secunia.com/advisories/29065 | SREASON:2090 | URL:http://securityreason.com/securityalert/2090 | SUSE:SUSE-SA:2007:011 | URL:http://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.html | VUPEN:ADV-2007-0032 | URL:http://www.vupen.com/english/advisories/2007/0032 | XF:adobe-acrobat-pdf-csrf(31266) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31266 |
CVE-2007-0101 | Cross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information. |
Assigned (20070108) | MISC:http://spine.sourceforge.net/changelog.html | OSVDB:32577 | URL:http://osvdb.org/32577 | SECUNIA:23537 | URL:http://secunia.com/advisories/23537 | VUPEN:ADV-2007-0042 | URL:http://www.vupen.com/english/advisories/2007/0042 | XF:spine-unspecified-csrf(31283) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31283 |
CVE-2007-0106 | Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. |
Assigned (20070108) | BID:21893 | URL:http://www.securityfocus.com/bid/21893 | BUGTRAQ:20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability | URL:http://www.securityfocus.com/archive/1/456048/100/0/threaded | CONFIRM:http://wordpress.org/development/2007/01/wordpress-206/ | MISC:http://www.hardened-php.net/advisory_012007.140.html | OSVDB:33397 | URL:http://osvdb.org/33397 | SECUNIA:23595 | URL:http://secunia.com/advisories/23595 | SREASON:2114 | URL:http://securityreason.com/securityalert/2114 | VUPEN:ADV-2007-0061 | URL:http://www.vupen.com/english/advisories/2007/0061 |
CVE-2007-0192 | Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack. |
Assigned (20070110) | BUGTRAQ:20070104 MkPortal "All Guests are Admin" Exploit | URL:http://www.securityfocus.com/archive/1/455894/100/100/threaded | OSVDB:33400 | URL:http://osvdb.org/33400 | SREASON:2137 | URL:http://securityreason.com/securityalert/2137 |
CVE-2007-0622 | Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
Assigned (20070131) | OSVDB:32968 | URL:http://osvdb.org/32968 | SECUNIA:23934 | URL:http://secunia.com/advisories/23934 |
CVE-2007-0652 | Cross-site request forgery (CSRF) vulnerability in MailEnable Professional before 2.37 allows remote attackers to modify arbitrary configurations and perform unauthorized actions as arbitrary users via a link or IMG tag. |
Assigned (20070201) | BID:22554 | URL:http://www.securityfocus.com/bid/22554 | BUGTRAQ:20070214 Secunia Research: MailEnable Web Mail Client MultipleVulnerabilities | URL:http://www.securityfocus.com/archive/1/460063/100/0/threaded | MISC:http://secunia.com/secunia_research/2007-38/advisory/ | OSVDB:33191 | URL:http://osvdb.org/33191 | SECUNIA:23998 | URL:http://secunia.com/advisories/23998 | SREASON:2258 | URL:http://securityreason.com/securityalert/2258 | VUPEN:ADV-2007-0595 | URL:http://www.vupen.com/english/advisories/2007/0595 |
CVE-2007-0912 | Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php in Jportal 2.3.1, and possibly earlier, allows remote attackers to perform privileged actions as administrators by tricking the admin into accessing a URL with modified arguments to admin/admin.adm.php. |
Assigned (20070213) | BUGTRAQ:20070211 Jportal 2.3.1 CSRF vulnerability | URL:http://www.securityfocus.com/archive/1/459827/100/0/threaded | OSVDB:33712 | URL:http://osvdb.org/33712 | SREASON:2239 | URL:http://securityreason.com/securityalert/2239 | XF:jportal-admin-csrf(32458) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32458 |
CVE-2007-1157 | Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAdaptor in JBoss allows remote attackers to perform privileged actions as administrators via certain MBean operations, a different vulnerability than CVE-2006-3733. |
Assigned (20070227) | BUGTRAQ:20070222 JBoss jmx-console CSRF | URL:http://www.securityfocus.com/archive/1/460934/100/0/threaded | BUGTRAQ:20070223 Re: JBoss jmx-console CSRF | URL:http://www.securityfocus.com/archive/1/461004/100/0/threaded | OSVDB:33142 | URL:http://osvdb.org/33142 | XF:jboss-jmxconsole-csrf(32673) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32673 |
CVE-2007-1180 | WebAPP before 0.9.9.5 does not check referrers in certain forms, which might facilitate remote cross-site request forgery (CSRF) attacks or have other unknown impact. |
Assigned (20070228) | BID:22563 | URL:http://www.securityfocus.com/bid/22563 | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 | OSVDB:33285 | URL:http://osvdb.org/33285 | SECUNIA:24080 | URL:http://secunia.com/advisories/24080 | VUPEN:ADV-2007-0604 | URL:http://www.vupen.com/english/advisories/2007/0604 |
CVE-2007-1244 | Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter. |
Assigned (20070303) | BID:22735 | URL:http://www.securityfocus.com/bid/22735 | BUGTRAQ:20070226 WordPress AdminPanel CSRF/XSS - 0day | URL:http://www.securityfocus.com/archive/1/461351/100/0/threaded | FULLDISC:20070226 WordPress AdminPanel CSRF/XSS - 0day | URL:http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0583.html | GENTOO:GLSA-200703-23 | URL:http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml | OSVDB:33787 | URL:http://osvdb.org/33787 | OSVDB:33788 | URL:http://osvdb.org/33788 | SECUNIA:24566 | URL:http://secunia.com/advisories/24566 | XF:wordpress-post-csrf(32703) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32703 |
CVE-2007-1332 | Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to perform unspecified restricted actions in the context of certain accounts by bypassing the client-side protection scheme. |
Assigned (20070307) | BID:22829 | URL:http://www.securityfocus.com/bid/22829 | BUGTRAQ:20070305 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities | URL:http://www.securityfocus.com/archive/1/461895/100/0/threaded | MISC:http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 | MISC:http://www.scip.ch/publikationen/advisories/scip_advisory-2893_eportfolio_%201.0_java_multiple_vulnerabilities.txt | SECUNIA:24331 | URL:http://secunia.com/advisories/24331 | SREASON:2385 | URL:http://securityreason.com/securityalert/2385 |
CVE-2007-1489 | Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability. |
Assigned (20070316) | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=crip&id=2 | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=256 | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=259 | OSVDB:33273 | URL:http://osvdb.org/33273 | SECUNIA:24540 | URL:http://secunia.com/advisories/24540 | VIM:20070320 WebAPP Audit | URL:http://www.attrition.org/pipermail/vim/2007-March/001446.html |
CVE-2007-1520 | The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. |
Assigned (20070320) | BUGTRAQ:20070309 Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462308/100/100/threaded | BUGTRAQ:20070311 Re: Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462575/100/0/threaded | BUGTRAQ:20070313 Re: Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462727/100/0/threaded | MISC:http://phpfi.com/214668 | MISC:http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ | MISC:http://www.wisec.it/ush/phpnukexss.html | OSVDB:34501 | URL:http://osvdb.org/34501 | SECUNIA:24629 | URL:http://secunia.com/advisories/24629 |
CVE-2007-1638 | Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files. |
Assigned (20070323) | BUGTRAQ:20070314 n.runs-SA-2007.005 - PHProjekt 5.2.0 - Cross Site Request Forgery | URL:http://www.securityfocus.com/archive/1/462786/100/100/threaded | CONFIRM:http://www.phprojekt.com/index.php?name=News&file=article&sid=276 | GENTOO:GLSA-200706-07 | URL:http://security.gentoo.org/glsa/glsa-200706-07.xml | MISC:http://www.nruns.de/security_advisory_phprojekt_csrf.php | OSVDB:35162 | URL:http://osvdb.org/35162 | SECUNIA:24509 | URL:http://secunia.com/advisories/24509 | SECUNIA:25748 | URL:http://secunia.com/advisories/25748 | SREASON:2477 | URL:http://securityreason.com/securityalert/2477 | XF:phprojekt-multiple-modules-csrf(32989) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32989 |
Page created: