Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6940 | 1 Nat32 | 1 Nat32 | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF. | |||||
| CVE-2019-14240 | 1 Wcms | 1 Wcms | 2020-08-24 | 5.8 MEDIUM | 8.1 HIGH |
| WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI. | |||||
| CVE-2019-14228 | 1 Angry-frog | 1 Xavier | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username will reflect via the error page. Due to the lack of CSRF protection on the admin/includes/adminprocess.php endpoint, an attacker is able to chain the XSS with CSRF in order to cause remote exploitation. | |||||
| CVE-2020-12480 | 1 Lightbend | 1 Play Framework | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed. | |||||
| CVE-2020-7304 | 1 Mcafee | 1 Data Loss Prevention | 2020-08-24 | 5.2 MEDIUM | 7.6 HIGH |
| Cross site request forgery vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attacker to embed a CRSF script via adding a new label. | |||||
| CVE-2012-4205 | 4 Canonical, Mozilla, Opensuse and 1 more | 8 Ubuntu Linux, Firefox, Seamonkey and 5 more | 2020-08-21 | 6.8 MEDIUM | N/A |
| Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on. | |||||
| CVE-2016-11085 | 1 Expresstech | 1 Quiz And Survey Master | 2020-08-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element. | |||||
| CVE-2017-12439 | 1 Socusoft | 1 Flash Slideshow Maker | 2020-08-19 | 5.1 MEDIUM | 7.5 HIGH |
| SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and unvalidated redirection issues. | |||||
| CVE-2018-1434 | 1 Ibm | 14 San Volume Controller, San Volume Controller Firmware, Spectrum Virtualize and 11 more | 2020-08-19 | 6.8 MEDIUM | 8.8 HIGH |
| IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 139474. | |||||
| CVE-2013-6365 | 3 Debian, Horde, Opensuse | 3 Debian Linux, Groupware, Opensuse | 2020-08-18 | 2.6 LOW | 5.3 MEDIUM |
| Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions | |||||
| CVE-2013-6364 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2020-08-18 | 6.8 MEDIUM | 8.8 HIGH |
| Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book | |||||
| CVE-2013-6275 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php. | |||||
| CVE-2020-7029 | 1 Avaya | 2 Aura Communication Manager, Aura Messaging | 2020-08-17 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1. | |||||
| CVE-2020-2237 | 1 Jenkins | 1 Flaky Test Handler | 2020-08-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision. | |||||
| CVE-2020-2235 | 1 Jenkins | 1 Pipeline Maven Integration | 2020-08-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. | |||||
| CVE-2020-14319 | 1 Redhat | 2 Amq Online, Enmasse | 2020-08-12 | 4.0 MEDIUM | 5.9 MEDIUM |
| It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This flaw affects all versions of AMQ-Online prior to 1.5.2 and Enmasse versions 0.31.0-rc1 up until but not including 0.32.2. | |||||
| CVE-2020-15135 | 1 Save-server Project | 1 Save-server | 2020-08-10 | 6.8 MEDIUM | 7.6 HIGH |
| save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. They can in addition create, delete and update users. If they updated the password of a user, that user's files would then be available. If the root password is updated, all files would be visible if they logged in with the new password. Note that due to the same origin policy malicious actors cannot view the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched in version 1.0.7. | |||||
| CVE-2020-5615 | 2 Calendar01 Project, Calendar02 Project | 2 Calendar01, Calendar02 | 2020-08-06 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2020-16252 | 1 Field Test Project | 1 Field Test | 2020-08-05 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF. | |||||
| CVE-2020-16253 | 1 Pghero Project | 1 Pghero | 2020-08-05 | 5.8 MEDIUM | 8.1 HIGH |
| The PgHero gem through 2.6.0 for Ruby allows CSRF. | |||||