Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target’s account information remotely.
CWE-352
CVE-2018-11126
dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account.
CVE-2018-11127
e107 2.1.7 has CSRF resulting in arbitrary user deletion.
CVE-2018-11018
An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html.
CVE-2018-10957
CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components.
CVE-2018-1098
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can’t PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.