CSRF Cross-Site Request Forgery

IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF. (CVSS:0.0) (Last Update:2017-06-19)

atmail before 7.8.0.2 has CSRF, allowing an attacker to create a user account. (CVSS:0.0) (Last Update:2017-06-08)

atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and import users via CSV. (CVSS:0.0) (Last Update:2017-06-08)

CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. (CVSS:0.0) (Last Update:2017-06-05)

In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an administrator account (via the index.php/user/new URI) or change its settings (via the index.php/user/1 URI), including its password. (CVSS:0.0) (Last Update:2017-06-15)

atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMTP hostname and hijack all emails. (CVSS:0.0) (Last Update:2017-06-08)

BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. (CVSS:0.0) (Last Update:2017-06-05)

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. (CVSS:0.0) (Last Update:2017-06-02)