Selection:
XSS CSRF Privilege Buffer Remote Stack
CVE ID Name Status References
CVE-2002-1648

Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters.

Assigned (20050328)

BID:3956 | URL:http://www.securityfocus.com/bid/3956 | BUGTRAQ:20020124 Vulnerabilities in squirrelmail | URL:http://archives.neohapsis.com/archives/bugtraq/2002-01/0310.html | CERT-VN:VU#153043 | URL:http://www.kb.cert.org/vuls/id/153043 | XF:squirrelmail-html-execute-script(7989) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7989

CVE-2002-2426

Cross-site request forgery (CSRF) vulnerability in Citrix Presentation Server 4.0 and 4.5, MetaFrame Presentation Server 3.0, and Access Essentials 1.0 through 2.0 allows remote attackers to execute arbitrary published applications, and possibly other programs, as authenticated users via the InitialProgram key in an ICA connection. NOTE: some of these details are obtained from third party information.

Assigned (20071119)

BID:26451 | URL:http://www.securityfocus.com/bid/26451 | CONFIRM:http://support.citrix.com/article/CTX115245 | MISC:http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt | MISC:http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/ | SECTRACK:1018962 | URL:http://www.securitytracker.com/id?1018962 | SECUNIA:27633 | URL:http://secunia.com/advisories/27633 | VUPEN:ADV-2007-3870 | URL:http://www.vupen.com/english/advisories/2007/3870

CVE-2004-1842

Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.

Assigned (20050504)

BID:9895 | URL:http://www.securityfocus.com/bid/9895 | BUGTRAQ:20040322 [waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0] | URL:http://marc.info/?l=bugtraq&m=108006309112075&w=2 | SECUNIA:11195 | URL:http://secunia.com/advisories/11195 | XF:phpnuke-img-gain-privileges(15596) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/15596

CVE-2004-1967

Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link.

Assigned (20050504)

BUGTRAQ:20040425 Multiple Vulnerabilities In OpenBB | URL:http://marc.info/?l=bugtraq&m=108301983206107&w=2 | SECTRACK:1009935 | URL:http://securitytracker.com/id?1009935 | SECUNIA:11481 | URL:http://secunia.com/advisories/11481 | XF:openbb-tags-execute-code(15967) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/15967

CVE-2004-1995

Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm.

Assigned (20050504)

BID:10276 | URL:http://www.securityfocus.com/bid/10276 | BUGTRAQ:20040505 Fuse Talk Vunerabilities | URL:http://marc.info/?l=bugtraq&m=108377423825478&w=2 | OSVDB:5895 | URL:http://www.osvdb.org/5895 | SECTRACK:1010080 | URL:http://securitytracker.com/id?1010080 | SECUNIA:11555 | URL:http://secunia.com/advisories/11555 | XF:fusetalk-get-add-users(16080) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/16080

CVE-2004-2364

Cross-site request forgery (CSRF) vulnerability in PHPX 3.0 through 3.2.6 allows remote attackers to execute arbitrary commands via URLs that are automatically executed on behalf of the administrator, as demonstrated using (1) admin/page.php, (2) admin/news.php, (3) admin/user.php, (4) admin/images.php, (5) admin/page.php, or (6) admin/forums.php.

Assigned (20050816)

BID:10284 | URL:http://www.securityfocus.com/bid/10284 | BUGTRAQ:20040504 Vulnerabilities In PHPX 3.26 And Earlier | URL:http://www.securityfocus.com/archive/1/362230 | MISC:http://www.phpx.org/project.php?action=view&project_id=1 | OSVDB:5907 | URL:http://www.osvdb.org/5907 | OSVDB:5908 | URL:http://www.osvdb.org/5908 | OSVDB:5909 | URL:http://www.osvdb.org/5909 | OSVDB:5910 | URL:http://www.osvdb.org/5910 | OSVDB:5911 | URL:http://www.osvdb.org/5911 | SECTRACK:1010061 | URL:http://securitytracker.com/id?1010061 | SECUNIA:11554 | URL:http://secunia.com/advisories/11554

CVE-2004-2403

Cross-site request forgery (CSRF) vulnerability in YaBB 1 GOLD SP 1.3.2 allows remote attackers to perform unauthorized actions as the administrative user via a link or IMG tag to YaBB.pl that specifies the desired action, id, and moda parameters.

Assigned (20050817)

BID:11214 | URL:http://www.securityfocus.com/bid/11214 | BUGTRAQ:20040916 RE: www.proboards.com / YaBB XSS Vuln | URL:http://archives.neohapsis.com/archives/bugtraq/2004-09/0227.html | OSVDB:10243 | URL:http://www.osvdb.org/10243 | SECUNIA:12593 | URL:http://secunia.com/advisories/12593 | XF:yabb-administrative-bypass(17453) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/17453

CVE-2005-0535

Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to perform unauthorized actions as authenticated MediaWiki users.

Assigned (20050224)

CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=307067 | GENTOO:GLSA-200502-33 | URL:http://www.gentoo.org/security/en/glsa/glsa-200502-33.xml | SECTRACK:1013260 | URL:http://securitytracker.com/id?1013260 | SECUNIA:14360 | URL:http://secunia.com/advisories/14360

CVE-2005-1674

Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php.

Assigned (20050519)

BUGTRAQ:20050517 Help Center Live Vulnerabilities | URL:http://www.securityfocus.com/archive/1/398457/2005-05-15/2005-05-21/0 | MISC:http://www.gulftech.org/?node=research&article_id=00076-05172005

CVE-2005-1947

Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions.

Assigned (20050614)

BUGTRAQ:20050609 Invision Gallery Vulnerabilities | URL:http://marc.info/?l=bugtraq&m=111834146710329&w=2 | MISC:http://www.gulftech.org/?node=research&article_id=00079-06092005

CVE-2005-2059

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag.

Assigned (20050629)

BUGTRAQ:20050624 Infopop UBB Threads Multiple Vulnerabilities | URL:http://marc.info/?l=bugtraq&m=111963737202040&w=2 | MISC:http://www.gulftech.org/?node=research&article_id=00084-06232005 | MISC:http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351

CVE-2005-2411

Cross-Site Request Forgery (CSRF) vulnerability in tDiary 2.1.1, and tDiary 2.0.1 and earlier, allows remote attackers to conduct actions as another user, and execute commands on the server, via a URL that is activated by the user.

Assigned (20050801)

BID:14500 | URL:http://www.securityfocus.com/bid/14500 | CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=482743 | DEBIAN:DSA-808 | URL:http://www.debian.org/security/2005/dsa-808 | OSVDB:18604 | URL:http://www.osvdb.org/18604 | SECUNIA:16329 | URL:http://secunia.com/advisories/16329 | SECUNIA:16787 | URL:http://secunia.com/advisories/16787 | XF:tdiary-xs-request-forgery(21735) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/21735

CVE-2005-3129

Cross-site request forgery (CSRF) vulnerability in Serendipity 0.8.4 and earlier allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag to serendipity_admin.php.

Assigned (20051004)

BUGTRAQ:20050929 Serendipity: Account Hijacking / CSRF Vulnerability | URL:http://marc.info/?l=bugtraq&m=112801570631203&w=2 | FULLDISC:20050929 Serendipity: Account Hijacking / CSRF Vulnerability | URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037580.html | SECUNIA:17011 | URL:http://secunia.com/advisories/17011/ | XF:serendipity-xs-request-forgery(22456) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/22456

CVE-2005-3618

Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server 2.0.x before 2.0.2 patch 1, 2.1.x before 2.1.3 patch 1, and 2.x before 2.5.3 patch 2 allows allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsr operation to change a password. NOTE: this issue can be leveraged with CVE-2005-3619 to automatically perform the attacks.

Assigned (20051116)

BUGTRAQ:20060731 Corsaire Security Advisory - VMware ESX Server Password Cross Site Request Forgery issue | URL:http://www.securityfocus.com/archive/1/441726/100/100/threaded | BUGTRAQ:20060801 VMSA-2006-0004 Cross site scripting vulnerability and other fixes | URL:http://www.securityfocus.com/archive/1/441825/100/100/threaded | CONFIRM:http://kb.vmware.com/kb/2118366 | MISC:http://www.corsaire.com/advisories/c051114-001.txt | SECTRACK:1016612 | URL:http://securitytracker.com/id?1016612 | SECUNIA:21230 | URL:http://secunia.com/advisories/21230 | VUPEN:ADV-2006-3075 | URL:http://www.vupen.com/english/advisories/2006/3075

CVE-2005-4349

** DISPUTED ** SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450.

Assigned (20051219)

BUGTRAQ:20051217 phpMyAdmin server_privileges.php SQL Injection Vulnerabilities. | URL:http://marc.info/?l=bugtraq&m=113486637512821&w=2 | BUGTRAQ:20051219 Re: phpMyAdmin server_privileges.php SQL Injection Vulnerabilities. | URL:http://www.securityfocus.com/archive/1/419829/100/0/threaded | BUGTRAQ:20051219 about phpMyAdmin's server_privileges.php announced vulnerability | URL:http://www.securityfocus.com/archive/1/419832/100/0/threaded | SECUNIA:18113 | URL:http://secunia.com/advisories/18113 | SREASON:270 | URL:http://securityreason.com/securityalert/270 | VUPEN:ADV-2005-2995 | URL:http://www.vupen.com/english/advisories/2005/2995

CVE-2005-4450

Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag to server_privileges.php, as demonstrated using the dbname and checkprivs parameters. NOTE: the provenance of this issue is unknown, although third parties imply that it is related to the disclosure of CVE-2005-4349, which was labeled as SQL injection but disputed.

Assigned (20051221)

SECUNIA:18113 | URL:http://secunia.com/advisories/18113

CVE-2005-4800

Direct static code injection vulnerability in Yet Another PHP Image Gallery (YaPIG) 0.95b and earlier allows remote authenticated administrators to inject arbitrary PHP code via the TestGallery parameter in a mod_info action to modify_gallery.php, which inserts the code into guid_info.php. NOTE: this issue is easier to exploit due to a separate CSRF vulnerability.

Assigned (20060515)

BUGTRAQ:20051013 Yapig: XSS / Code Injection Vulnerability | URL:http://archives.neohapsis.com/archives/bugtraq/2005-10/0161.html | MISC:http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt | OSVDB:19960 | URL:http://www.osvdb.org/19960 | SECUNIA:17041 | URL:http://secunia.com/advisories/17041 | XF:yapig-http-post-privilege-escalation(22753) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/22753

CVE-2005-4801

Multiple cross-site request forgery (CSRF) vulnerabilities in Yet Another PHP Image Gallery (YaPIG) 0.95b and earlier allow remote attackers to perform unauthorized actions as a logged-in user, as demonstrated by tricking the administrator to access a web page that performs a mod_info action in modify_gallery.php.

Assigned (20060515)

BUGTRAQ:20051013 Yapig: XSS / Code Injection Vulnerability | URL:http://archives.neohapsis.com/archives/bugtraq/2005-10/0161.html | MISC:http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt | SECUNIA:17041 | URL:http://secunia.com/advisories/17041 | SREASON:79 | URL:http://securityreason.com/securityalert/79 | XF:yapig-http-post-privilege-escalation(22753) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/22753

CVE-2006-0438

Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when Link to off-site Avatar or bbcode (IMG) are enabled, allows remote attackers to perform unauthorized actions as a logged in user via a link or IMG tag in a user profile, as demonstrated using links to (1) admin/admin_users.php and (2) modcp.php.

Assigned (20060126)

FULLDISC:20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin | URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041920.html | OSVDB:22929 | URL:http://www.osvdb.org/22929 | SECUNIA:18693 | URL:http://secunia.com/advisories/18693 | SREASON:406 | URL:http://securityreason.com/securityalert/406 | SREASONRES:20060203 phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin | URL:http://securityreason.com/achievement_securityalert/31 | VUPEN:ADV-2006-0445 | URL:http://www.vupen.com/english/advisories/2006/0445 | XF:phpbb-referer-header-http-xss(24497) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/24497

CVE-2006-2495

Cross-site request forgery (CSRF) vulnerability in the Entry Manager in Serendipity before 1.0-beta3 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag.

Assigned (20060519)

CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=414920&group_id=75065 | SECUNIA:20155 | URL:http://secunia.com/advisories/20155 | VUPEN:ADV-2006-1855 | URL:http://www.vupen.com/english/advisories/2006/1855

CVE-2006-3272

Cross-site request forgery (CSRF) vulnerability in menu.php in Some Chess 1.5 rc2 allows remote attackers to conduct actions as another user, such as changing usernames and passwords, via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information.

Assigned (20060628)

SECUNIA:20770 | URL:http://secunia.com/advisories/20770 | XF:somechess-menu-xss(27307) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/27307

CVE-2006-3420

Cross-site request forgery (CSRF) vulnerability in editpost.php in MyBulletinBoard (MyBB) before 1.1.5 allows remote attackers to perform unauthorized actions as a logged in user and delete arbitrary forum posts via a bbcode IMG tag with a modified delete parameter in a deletepost action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Assigned (20060706)

OSVDB:26807 | URL:http://www.osvdb.org/26807 | SECUNIA:20659 | URL:http://secunia.com/advisories/20659 | XF:mybb-editpost-xsrf(27682) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/27682

CVE-2006-3479

Cross-site request forgery (CSRF) vulnerability in the del_block function in modules/Admin/block.php in Nuked-Klan 1.7.5 and earlier and 1.7 SP4.2 allows remote attackers to delete arbitrary "blocks" via a link with a modified bid parameter in a del_block op on the block page in index.php.

Assigned (20060710)

BUGTRAQ:20060629 CSRF in Nuked Klan 1.7 SP4.2 | URL:http://www.securityfocus.com/archive/1/438703 | SECUNIA:20898 | URL:http://secunia.com/advisories/20898 | SREASON:1205 | URL:http://securityreason.com/securityalert/1205 | VUPEN:ADV-2006-2615 | URL:http://www.vupen.com/english/advisories/2006/2615 | XF:nukedklan-delblock-csrf(27490) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/27490

CVE-2006-3671

Cross-site request forgery (CSRF) vulnerability in the communicate function in estmaster.c for Hyper Estraier before 1.3.3 allows remote attackers to perform unauthorized actions as other users via unknown vectors.

Assigned (20060717)

CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=432119 | SECUNIA:21049 | URL:http://secunia.com/advisories/21049 | VUPEN:ADV-2006-2827 | URL:http://www.vupen.com/english/advisories/2006/2827

CVE-2006-3829

Cross-site request forgery (CSRF) vulnerability in bmc/admin.php in Kailash Nadh boastMachine (formerly bMachine) 3.1 and earlier allows remote attackers to perform unauthorized actions as an administrator and delete arbitrary user accounts via a delete_user action.

Assigned (20060724)

BUGTRAQ:20060717 boastMachine <= 3.1 SQL Injection Exploit | URL:http://www.securityfocus.com/archive/1/440306/100/0/threaded | MISC:http://www.acid-root.new.fr/advisories/boastmachine.txt | SECTRACK:1016515 | URL:http://securitytracker.com/id?1016515 | SECUNIA:21066 | URL:http://secunia.com/advisories/21066 | SREASON:1252 | URL:http://securityreason.com/securityalert/1252

CVE-2006-4582

Cross-site request forgery (CSRF) vulnerability in The Address Book 1.04e allows remote attackers to perform unauthorized actions as other users via unspecified vectors, as demonstrated by deleting arbitrary users via the id parameter in a deleteuser action in users.php.

Assigned (20060906)

MISC:http://secunia.com/secunia_research/2006-76/advisory/ | OSVDB:32559 | URL:http://osvdb.org/32559 | SECUNIA:21694 | URL:http://secunia.com/advisories/21694 | XF:theaddressbook-users-csrf(31251) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31251

CVE-2006-4659

The Panda Platinum Internet Security 2006 10.02.01 and 2007 11.00.00 uses predictable URLs for the spam classification of each message, which allows remote attackers to cause Panda to classify arbitrary messages as spam via a web page that contains IMG tags with the predictable URLs. NOTE: this issue could also be regarded as a cross-site request forgery (CSRF) vulnerability.

Assigned (20060908)

BID:19891 | URL:http://www.securityfocus.com/bid/19891 | BUGTRAQ:20060907 SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities | URL:http://www.securityfocus.com/archive/1/445479/100/0/threaded | MISC:http://www.security.nnov.ru/advisories/pandais.asp | SECUNIA:21769 | URL:http://secunia.com/advisories/21769 | SREASON:1524 | URL:http://securityreason.com/securityalert/1524

CVE-2006-5116

Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php. NOTE: the PHP unset function vector is covered by CVE-2006-3017.

Assigned (20061002)

BID:20253 | URL:http://www.securityfocus.com/bid/20253 | BUGTRAQ:20061001 Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities | URL:http://www.securityfocus.com/archive/1/447491/100/0/threaded | CONFIRM:http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download | CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5 | DEBIAN:DSA-1207 | URL:http://www.debian.org/security/2006/dsa-1207 | MISC:http://www.hardened-php.net/advisory_072006.130.html | SECUNIA:22126 | URL:http://secunia.com/advisories/22126 | SECUNIA:22781 | URL:http://secunia.com/advisories/22781 | SECUNIA:23086 | URL:http://secunia.com/advisories/23086 | SREASON:1677 | URL:http://securityreason.com/securityalert/1677 | SUSE:SUSE-SA:2006:071 | URL:http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html | VIM:20061003 Concerning CSRF in phpMyAdmin 2.9.0.1 (CVE-2006-5116) | URL:http://attrition.org/pipermail/vim/2006-October/001067.html | XF:phpmyadmin-multiple-csrf(29301) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29301

CVE-2006-5175

Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors.

Assigned (20061005)

JVN:JVN#93484133 | URL:http://jvn.jp/jp/JVN%2393484133/index.html | SECUNIA:22248 | URL:http://secunia.com/advisories/22248 | VUPEN:ADV-2006-3891 | URL:http://www.vupen.com/english/advisories/2006/3891 | XF:terastation-admin-interface-csrf(29338) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29338

CVE-2006-5204

Cross-site scripting (XSS) vulnerability in action_admin/member.php in Invision Power Board (IPB) 2.1.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a reference to a script in the avatar setting, which can be leveraged for a cross-site request forgery (CSRF) attack involving forced SQL execution by an admin.

Assigned (20061009)

BUGTRAQ:20061004 Invision Power Board Multiple Vulnerabilities | URL:http://www.securityfocus.com/archive/1/447710/100/0/threaded | CONFIRM:http://forums.invisionpower.com/index.php?showtopic=227937 | SECUNIA:22272 | URL:http://secunia.com/advisories/22272 | VUPEN:ADV-2006-3927 | URL:http://www.vupen.com/english/advisories/2006/3927 | XF:ipb-avatar-image-xss(29351) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29351

CVE-2006-5455

Cross-site request forgery (CSRF) vulnerability in editversions.cgi in Bugzilla before 2.22.1 and 2.23.x before 2.23.3 allows user-assisted remote attackers to create, modify, or delete arbitrary bug reports via a crafted URL.

Assigned (20061023)

BID:20538 | URL:http://www.securityfocus.com/bid/20538 | BUGTRAQ:20061015 Security Advisory for Bugzilla 2.18.5, 2.20.2, 2.22, and 2.23.2 | URL:http://www.securityfocus.com/archive/1/448777/100/100/threaded | CONFIRM:http://www.bugzilla.org/security/2.18.5/ | CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=281181 | GENTOO:GLSA-200611-04 | URL:http://security.gentoo.org/glsa/glsa-200611-04.xml | OSVDB:29548 | URL:http://www.osvdb.org/29548 | SECUNIA:22409 | URL:http://secunia.com/advisories/22409 | SECUNIA:22790 | URL:http://secunia.com/advisories/22790 | SREASON:1760 | URL:http://securityreason.com/securityalert/1760 | VUPEN:ADV-2006-4035 | URL:http://www.vupen.com/english/advisories/2006/4035 | XF:bugzilla-url-modify-configuration(29618) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29618

CVE-2006-5476

Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.

Assigned (20061024)

BUGTRAQ:20061019 [DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue | URL:http://www.securityfocus.com/archive/1/449199/100/0/threaded | CONFIRM:http://drupal.org/node/88828 | OPENPKG:OpenPKG-SA-2006.025-drupal | URL:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.025-drupal.html | SECUNIA:22486 | URL:http://secunia.com/advisories/22486 | SREASON:1765 | URL:http://securityreason.com/securityalert/1765 | VUPEN:ADV-2006-4120 | URL:http://www.vupen.com/english/advisories/2006/4120 | XF:drupal-unspecified-csrf(29679) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/29679

CVE-2006-5878

Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors.

Assigned (20061114)

CONFIRM:http://trac.edgewall.org/wiki/ChangeLog | DEBIAN:DSA-1209 | URL:http://www.debian.org/security/2006/dsa-1209 | GENTOO:GLSA-200612-14 | URL:http://security.gentoo.org/glsa/glsa-200612-14.xml | MISC:http://trac.edgewall.org/ticket/4049 | SECUNIA:22789 | URL:http://secunia.com/advisories/22789 | SECUNIA:22868 | URL:http://secunia.com/advisories/22868 | SECUNIA:23357 | URL:http://secunia.com/advisories/23357 | VUPEN:ADV-2006-4422 | URL:http://www.vupen.com/english/advisories/2006/4422 | XF:trac-unspecified-csrf(30146) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/30146

CVE-2006-6508

Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows remote authenticated users to send unauthorized messages as an arbitrary user via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Assigned (20061213)

DEBIAN:DSA-1488 | URL:http://www.debian.org/security/2008/dsa-1488 | SECUNIA:23283 | URL:http://secunia.com/advisories/23283 | SECUNIA:28871 | URL:http://secunia.com/advisories/28871 | XF:phpbb-message-csrf(30786) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/30786

CVE-2006-6701

Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail.

Assigned (20061222)

BUGTRAQ:20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery] | URL:http://www.securityfocus.com/archive/1/458109/100/100/threaded | CONFIRM:http://terra.calacode.com/mail/docs/changelog.html | FULLDISC:20070125 [NETRAGARD-20061218 SECURITY ADVISORY] [@Mail WebMail Cross Site Request Forgery] | URL:http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0512.html | MISC:http://www.netragard.com/html/recent_research.html | MISC:http://www.netragard.com/pdfs/research/ATMAIL-XSRF-ADVISORY-20061206.txt | SECTRACK:1017435 | URL:http://securitytracker.com/id?1017435 | SECUNIA:23472 | URL:http://secunia.com/advisories/23472 | SECUNIA:25328 | URL:http://secunia.com/advisories/25328 | VUPEN:ADV-2007-1864 | URL:http://www.vupen.com/english/advisories/2007/1864 | XF:@mail-unspecified-csrf(31259) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31259

CVE-2006-6741

Cross-site request forgery (CSRF) vulnerability in urlobox in MKPortal allows remote attackers to delete arbitrary messages as an administrator via a delete operation in an img BBcode tag.

Assigned (20061226)

BUGTRAQ:20061219 MkPortal Urlobox Cross Site Request Forgery | URL:http://www.securityfocus.com/archive/1/454868/100/0/threaded | SECUNIA:23431 | URL:http://secunia.com/advisories/23431 | VUPEN:ADV-2006-5115 | URL:http://www.vupen.com/english/advisories/2006/5115

CVE-2007-0044

Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."

Assigned (20070103)

BID:21858 | URL:http://www.securityfocus.com/bid/21858 | BUGTRAQ:20070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities | URL:http://www.securityfocus.com/archive/1/455801/100/0/threaded | GENTOO:GLSA-200701-16 | URL:http://security.gentoo.org/glsa/glsa-200701-16.xml | MISC:http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf | MISC:http://www.wisec.it/vulns.php?page=9 | OVAL:oval:org.mitre.oval:def:10042 | URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10042 | REDHAT:RHSA-2008:0144 | URL:http://www.redhat.com/support/errata/RHSA-2008-0144.html | SECTRACK:1017469 | URL:http://securitytracker.com/id?1017469 | SECUNIA:23812 | URL:http://secunia.com/advisories/23812 | SECUNIA:23882 | URL:http://secunia.com/advisories/23882 | SECUNIA:29065 | URL:http://secunia.com/advisories/29065 | SREASON:2090 | URL:http://securityreason.com/securityalert/2090 | SUSE:SUSE-SA:2007:011 | URL:http://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.html | VUPEN:ADV-2007-0032 | URL:http://www.vupen.com/english/advisories/2007/0032 | XF:adobe-acrobat-pdf-csrf(31266) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31266

CVE-2007-0101

Cross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information.

Assigned (20070108)

MISC:http://spine.sourceforge.net/changelog.html | OSVDB:32577 | URL:http://osvdb.org/32577 | SECUNIA:23537 | URL:http://secunia.com/advisories/23537 | VUPEN:ADV-2007-0042 | URL:http://www.vupen.com/english/advisories/2007/0042 | XF:spine-unspecified-csrf(31283) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/31283

CVE-2007-0106

Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request.

Assigned (20070108)

BID:21893 | URL:http://www.securityfocus.com/bid/21893 | BUGTRAQ:20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability | URL:http://www.securityfocus.com/archive/1/456048/100/0/threaded | CONFIRM:http://wordpress.org/development/2007/01/wordpress-206/ | MISC:http://www.hardened-php.net/advisory_012007.140.html | OSVDB:33397 | URL:http://osvdb.org/33397 | SECUNIA:23595 | URL:http://secunia.com/advisories/23595 | SREASON:2114 | URL:http://securityreason.com/securityalert/2114 | VUPEN:ADV-2007-0061 | URL:http://www.vupen.com/english/advisories/2007/0061

CVE-2007-0192

Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack.

Assigned (20070110)

BUGTRAQ:20070104 MkPortal "All Guests are Admin" Exploit | URL:http://www.securityfocus.com/archive/1/455894/100/100/threaded | OSVDB:33400 | URL:http://osvdb.org/33400 | SREASON:2137 | URL:http://securityreason.com/securityalert/2137

CVE-2007-0622

Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Assigned (20070131)

OSVDB:32968 | URL:http://osvdb.org/32968 | SECUNIA:23934 | URL:http://secunia.com/advisories/23934

CVE-2007-0652

Cross-site request forgery (CSRF) vulnerability in MailEnable Professional before 2.37 allows remote attackers to modify arbitrary configurations and perform unauthorized actions as arbitrary users via a link or IMG tag.

Assigned (20070201)

BID:22554 | URL:http://www.securityfocus.com/bid/22554 | BUGTRAQ:20070214 Secunia Research: MailEnable Web Mail Client MultipleVulnerabilities | URL:http://www.securityfocus.com/archive/1/460063/100/0/threaded | MISC:http://secunia.com/secunia_research/2007-38/advisory/ | OSVDB:33191 | URL:http://osvdb.org/33191 | SECUNIA:23998 | URL:http://secunia.com/advisories/23998 | SREASON:2258 | URL:http://securityreason.com/securityalert/2258 | VUPEN:ADV-2007-0595 | URL:http://www.vupen.com/english/advisories/2007/0595

CVE-2007-0912

Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php in Jportal 2.3.1, and possibly earlier, allows remote attackers to perform privileged actions as administrators by tricking the admin into accessing a URL with modified arguments to admin/admin.adm.php.

Assigned (20070213)

BUGTRAQ:20070211 Jportal 2.3.1 CSRF vulnerability | URL:http://www.securityfocus.com/archive/1/459827/100/0/threaded | OSVDB:33712 | URL:http://osvdb.org/33712 | SREASON:2239 | URL:http://securityreason.com/securityalert/2239 | XF:jportal-admin-csrf(32458) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32458

CVE-2007-1157

Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAdaptor in JBoss allows remote attackers to perform privileged actions as administrators via certain MBean operations, a different vulnerability than CVE-2006-3733.

Assigned (20070227)

BUGTRAQ:20070222 JBoss jmx-console CSRF | URL:http://www.securityfocus.com/archive/1/460934/100/0/threaded | BUGTRAQ:20070223 Re: JBoss jmx-console CSRF | URL:http://www.securityfocus.com/archive/1/461004/100/0/threaded | OSVDB:33142 | URL:http://osvdb.org/33142 | XF:jboss-jmxconsole-csrf(32673) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32673

CVE-2007-1180

WebAPP before 0.9.9.5 does not check referrers in certain forms, which might facilitate remote cross-site request forgery (CSRF) attacks or have other unknown impact.

Assigned (20070228)

BID:22563 | URL:http://www.securityfocus.com/bid/22563 | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 | OSVDB:33285 | URL:http://osvdb.org/33285 | SECUNIA:24080 | URL:http://secunia.com/advisories/24080 | VUPEN:ADV-2007-0604 | URL:http://www.vupen.com/english/advisories/2007/0604

CVE-2007-1244

Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter.

Assigned (20070303)

BID:22735 | URL:http://www.securityfocus.com/bid/22735 | BUGTRAQ:20070226 WordPress AdminPanel CSRF/XSS - 0day | URL:http://www.securityfocus.com/archive/1/461351/100/0/threaded | FULLDISC:20070226 WordPress AdminPanel CSRF/XSS - 0day | URL:http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0583.html | GENTOO:GLSA-200703-23 | URL:http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml | OSVDB:33787 | URL:http://osvdb.org/33787 | OSVDB:33788 | URL:http://osvdb.org/33788 | SECUNIA:24566 | URL:http://secunia.com/advisories/24566 | XF:wordpress-post-csrf(32703) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32703

CVE-2007-1332

Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to perform unspecified restricted actions in the context of certain accounts by bypassing the client-side protection scheme.

Assigned (20070307)

BID:22829 | URL:http://www.securityfocus.com/bid/22829 | BUGTRAQ:20070305 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities | URL:http://www.securityfocus.com/archive/1/461895/100/0/threaded | MISC:http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 | MISC:http://www.scip.ch/publikationen/advisories/scip_advisory-2893_eportfolio_%201.0_java_multiple_vulnerabilities.txt | SECUNIA:24331 | URL:http://secunia.com/advisories/24331 | SREASON:2385 | URL:http://securityreason.com/securityalert/2385

CVE-2007-1489

Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.

Assigned (20070316)

CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=crip&id=2 | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=256 | CONFIRM:http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=259 | OSVDB:33273 | URL:http://osvdb.org/33273 | SECUNIA:24540 | URL:http://secunia.com/advisories/24540 | VIM:20070320 WebAPP Audit | URL:http://www.attrition.org/pipermail/vim/2007-March/001446.html

CVE-2007-1520

The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.

Assigned (20070320)

BUGTRAQ:20070309 Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462308/100/100/threaded | BUGTRAQ:20070311 Re: Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462575/100/0/threaded | BUGTRAQ:20070313 Re: Php Nuke POST XSS on steroids | URL:http://www.securityfocus.com/archive/1/462727/100/0/threaded | MISC:http://phpfi.com/214668 | MISC:http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ | MISC:http://www.wisec.it/ush/phpnukexss.html | OSVDB:34501 | URL:http://osvdb.org/34501 | SECUNIA:24629 | URL:http://secunia.com/advisories/24629

CVE-2007-1638

Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files.

Assigned (20070323)

BUGTRAQ:20070314 n.runs-SA-2007.005 - PHProjekt 5.2.0 - Cross Site Request Forgery | URL:http://www.securityfocus.com/archive/1/462786/100/100/threaded | CONFIRM:http://www.phprojekt.com/index.php?name=News&file=article&sid=276 | GENTOO:GLSA-200706-07 | URL:http://security.gentoo.org/glsa/glsa-200706-07.xml | MISC:http://www.nruns.de/security_advisory_phprojekt_csrf.php | OSVDB:35162 | URL:http://osvdb.org/35162 | SECUNIA:24509 | URL:http://secunia.com/advisories/24509 | SECUNIA:25748 | URL:http://secunia.com/advisories/25748 | SREASON:2477 | URL:http://securityreason.com/securityalert/2477 | XF:phprojekt-multiple-modules-csrf(32989) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/32989


Page created:

CVE year by year statistics.

CVE year statistics by common vulnerability domain.

Latest data from: 2024-03-25