CSRF に分類される脆弱性に紐づく CVE を、公開年で絞り込みます。一覧は新しい公開が上に来る並びで、CVSS / EPSS のリスク指標でもさらに絞り込めます。
直近の脆弱性公開や傾向を押さえ、セキュリティチームが高リスクな事象や悪用の可能性を素早く把握するためのビューです。
2018 年に公開され、CSRF に分類される CVE を表示しています。 CVE の一覧へ
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2018-20613 | TEMMOKU T1.09 Beta allows admin/user/add CSRF. | 8.8 | 0.14% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20612 | UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSRF. | 8.8 | 0.14% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20603 | Lei Feng TV CMS (aka LFCMS) 3.8.6 allows admin.php?s=/Member/add.html CSRF. | 8.8 | 0.14% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20598 | UCMS 1.4.7 has ?do=user_addpost CSRF. | 8.8 | 0.14% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20595 | A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful. | 8.8 | 0.08% | 2018-12-30 | 2024-11-21 |
| CVE-2018-20577 | Orange Livebox 00.96.320S devices allow cgi-bin/restore.exe, cgi-bin/firewall_SPI.exe, cgi-bin/setup_remote_mgmt.exe, cgi-bin/setup_pass.exe, and cgi-bin/upgradep.exe CSRF. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. | 9.1 | 0.14% | 2018-12-28 | 2024-11-21 |
| CVE-2018-20576 | Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. | 5.4 | 0.11% | 2018-12-28 | 2024-11-21 |
| CVE-2018-18696 | main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their websit | 8.8 | 0.19% | 2018-12-28 | 2024-11-21 |
| CVE-2018-15334 | A cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require re-authentication. | 4.3 | 0.28% | 2018-12-28 | 2024-11-21 |
| CVE-2018-19182 | Engelsystem before commit hash 2e28336 allows CSRF. | 8.8 | 0.10% | 2018-12-26 | 2024-11-21 |
| CVE-2018-20419 | DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account. | 8.8 | 0.07% | 2018-12-24 | 2024-11-21 |
| CVE-2018-8892 | A cross-site request forgery (CSRF) vulnerability in the Management Console of BlackBerry UEM versions earlier than 12.9.1 could allow an attacker to make modifications to the UEM settings in the context of a Management Console administrator. | 6.5 | 0.05% | 2018-12-20 | 2024-11-21 |
| CVE-2018-1000858 | GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. | 8.8 | 0.22% | 2018-12-20 | 2024-11-21 |
| CVE-2018-1000846 | FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later. | 8.8 | 0.23% | 2018-12-20 | 2024-11-21 |
| CVE-2018-1000843 | Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/<method> that can result in Task metadata such as task name, id, parameter, etc. will be leaked to unauthorized users. This attack appear to be exploitable via The victim must visit a specially crafted webpage from the network where their Luigi server is accessible.. This vulnerability | 8.8 | 0.14% | 2018-12-20 | 2024-11-21 |
| CVE-2018-1661 | IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 144887. | 6.5 | 0.15% | 2018-12-20 | 2024-11-21 |
| CVE-2018-20231 | Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation. | 8.8 | 0.13% | 2018-12-19 | 2024-11-21 |
| CVE-2018-20228 | Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. | 8.0 | 0.14% | 2018-12-19 | 2024-11-21 |
| CVE-2018-19829 | Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known. | 6.5 | 0.32% | 2018-12-18 | 2024-11-21 |
| CVE-2018-18921 | PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action. | 6.5 | 0.13% | 2018-12-18 | 2024-11-21 |