Total
4240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17590 | 1 Csrf Magic Project | 1 Csrf Magic | 2020-02-25 | 6.8 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. A remote attacker can exploit this by crafting a malicious page and dispersing it to a victim via social engineering, enticing them to click the link. Once the user/victim clicks the "try again" button, the attacker can take over the account and perform unintended actions on the victim's behalf. NOTE: A third-party maintainer has stated that this CVE is a false report. They state that the csrf_callback function is actually a callback function to the callers own handler for output. The function called can be changed via configuration to a custom callback to handle failed validation differently. They also stated that there is no way for an attacker to change tokens to make them valid from the client side. The only thing an attack can do is to pull the token out of the javascript, but that will always be possible and has nothing to do with the callback. | |||||
| CVE-2013-2109 | 1 Undolog | 1 Wp Cleanfix | 2020-02-24 | 6.8 MEDIUM | 8.8 HIGH |
| WordPress plugin wp-cleanfix has Remote Code Execution | |||||
| CVE-2019-19662 | 1 Maxum | 1 Rumpus Ftp | 2020-02-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability exists in the Web File Manager's Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html. | |||||
| CVE-2019-19664 | 1 Maxum | 1 Rumpus Ftp | 2020-02-24 | 5.8 MEDIUM | 7.1 HIGH |
| A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html. | |||||
| CVE-2020-9341 | 1 Auieo | 1 Candidats | 2020-02-24 | 6.8 MEDIUM | 8.8 HIGH |
| CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI. | |||||
| CVE-2020-3114 | 1 Cisco | 1 Data Center Network Manager | 2020-02-24 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link while having an active session on an affected device. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. | |||||
| CVE-2019-12246 | 1 Silverstripe | 1 Silverstripe | 2020-02-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools. | |||||
| CVE-2019-12437 | 1 Silverstripe | 1 Silverstripe | 2020-02-20 | 6.8 MEDIUM | 8.8 HIGH |
| In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations, | |||||
| CVE-2020-5530 | 1 Realestateconnected | 1 Easy Property Listings | 2020-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Easy Property Listings versions prior to 3.4 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2020-9266 | 1 Soplanning | 1 Soplanning | 2020-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php. | |||||
| CVE-2020-9267 | 1 Soplanning | 1 Soplanning | 2020-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php. | |||||
| CVE-2020-9270 | 1 Icehrm | 1 Icehrm | 2020-02-18 | 6.8 MEDIUM | 8.8 HIGH |
| ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php. | |||||
| CVE-2020-9271 | 1 Icehrm | 1 Icehrm | 2020-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php. | |||||
| CVE-2013-4792 | 1 Prestashop | 1 Prestashop | 2020-02-18 | 3.5 LOW | 5.5 MEDIUM |
| PrestaShop before 1.4.11 allows logout CSRF. | |||||
| CVE-2013-2108 | 1 Undolog | 1 Cleanfix | 2020-02-18 | 4.3 MEDIUM | 5.4 MEDIUM |
| WordPress WP Cleanfix Plugin 2.4.4 has CSRF | |||||
| CVE-2020-2116 | 1 Jenkins | 1 Pipeline Github Notify Step | 2020-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2012-6721 | 1 Socialengine | 1 Socialengine | 2020-02-12 | 6.8 MEDIUM | 6.3 MEDIUM |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4. | |||||
| CVE-2014-2225 | 1 Ui | 3 Airvision Controller, Mfi Controller, Unifi Controller | 2020-02-12 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity. | |||||
| CVE-2019-10784 | 1 Phppgadmin Project | 1 Phppgadmin | 2020-02-12 | 9.3 HIGH | 9.6 CRITICAL |
| phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the server. | |||||
| CVE-2013-3568 | 1 Cisco | 2 Linksys Wrt110, Linksys Wrt110 Firmware | 2020-02-12 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. | |||||