Search
Total
1927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28403 | 1 Iris | 1 Star | 2021-02-01 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application. | |||||
| CVE-2020-12511 | 1 Pepperl-fuchs | 24 Io-link Master 4-eip, Io-link Master 4-eip Firmware, Io-link Master 4-pnio and 21 more | 2021-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface. | |||||
| CVE-2020-28482 | 1 Fastify | 1 Fastify-csrf | 2021-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter | |||||
| CVE-2020-28452 | 1 Softwaremill | 1 Akka-http-session | 2021-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty. | |||||
| CVE-2017-8874 | 1 Acquia | 1 Mautic | 2021-01-25 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts. | |||||
| CVE-2020-6776 | 1 Bosch | 4 Praesensa, Praesensa Firmware, Praesideo and 1 more | 2021-01-21 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface. | |||||
| CVE-2021-21241 | 1 Flask-security-too Project | 1 Flask-security-too | 2021-01-19 | 4.3 MEDIUM | 7.4 HIGH |
| The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable. | |||||
| CVE-2020-23960 | 1 Fork-cms | 1 Fork | 2021-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale. | |||||
| CVE-2020-35950 | 1 Xcloner | 1 Xcloner | 2021-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint). | |||||
| CVE-2021-21495 | 1 Mk-auth | 1 Mk-auth | 2021-01-07 | 6.8 MEDIUM | 8.8 HIGH |
| MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI. | |||||
| CVE-2020-4942 | 1 Ibm | 1 Curam Social Program Management | 2021-01-06 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942. | |||||
| CVE-2020-4917 | 1 Ibm | 1 Cloud Pak System | 2021-01-05 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191391. | |||||
| CVE-2018-16795 | 1 Open-emr | 1 Openemr | 2021-01-05 | 6.8 MEDIUM | 8.8 HIGH |
| OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file. | |||||
| CVE-2020-14368 | 1 Eclipse | 1 Che | 2021-01-04 | 4.6 MEDIUM | 7.1 HIGH |
| A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||
| CVE-2019-10874 | 1 Boltcms | 1 Bolt | 2021-01-04 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file. | |||||
| CVE-2020-35778 | 1 Netgear | 4 Gs716t, Gs716t Firmware, Gs724t and 1 more | 2020-12-30 | 6.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36. | |||||
| CVE-2020-26766 | 1 User Registration \& Login And User Management System With Admin Panel Project | 1 User Registration \& Login And User Management System With Admin Panel | 2020-12-28 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1. | |||||
| CVE-2020-35626 | 1 Mediawiki | 1 Mediawiki | 2020-12-22 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php. | |||||
| CVE-2020-7201 | 1 Hp | 4 Storeever 1\/8 G2 Tape Autoloader, Storeever 1\/8 G2 Tape Autoloader Firmware, Storeever Msl2024 and 1 more | 2020-12-22 | 6.8 MEDIUM | 8.8 HIGH |
| A potential security vulnerability has been identified in the HPE StoreEver MSL2024 Tape Library and HPE StoreEver 1/8 G2 Tape Autoloaders. The vulnerability could be remotely exploited to allow Cross-site Request Forgery (CSRF). | |||||
| CVE-2020-35273 | 1 Egavilanmedia | 1 User Registration \& Login System With Admin Panel | 2020-12-22 | 6.0 MEDIUM | 8.0 HIGH |
| EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account. | |||||
| CVE-2020-8461 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2020-12-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without requiring a valid CSRF token. | |||||
| CVE-2020-25095 | 1 Logrhythm | 1 Platform Manager | 2020-12-21 | 6.8 MEDIUM | 8.8 HIGH |
| LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution. | |||||
| CVE-2020-25622 | 1 Solarwinds | 1 N-central | 2020-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF. | |||||
| CVE-2020-28931 | 1 Epson | 2 Eps Tse Server 8, Eps Tse Server 8 Firmware | 2020-12-17 | 6.8 MEDIUM | 8.8 HIGH |
| Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious website. | |||||
| CVE-2020-8282 | 1 Ui | 4 Edgemax Edgepower 24v, Edgemax Edgepower 24v Firmware, Edgemax Edgepower 54v and 1 more | 2020-12-16 | 6.8 MEDIUM | 8.8 HIGH |
| A security issue was found in EdgePower 24V/54V firmware v1.7.0 and earlier where, due to missing CSRF protections, an attacker would have been able to perform unauthorized remote code execution. | |||||
| CVE-2020-8424 | 1 Cups Easy Project | 1 Cups Easy | 2020-12-15 | 6.8 MEDIUM | 8.8 HIGH |
| Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php. | |||||
| CVE-2019-19289 | 1 Siemens | 1 Xhq | 2020-12-15 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. | |||||
| CVE-2020-28858 | 1 Openasset | 1 Digital Asset Management | 2020-12-15 | 6.8 MEDIUM | 8.8 HIGH |
| OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions. | |||||
| CVE-2020-29254 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2020-12-14 | 6.8 MEDIUM | 8.8 HIGH |
| TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited. | |||||
| CVE-2020-7780 | 1 Softwaremill | 1 Akka-http-session | 2020-12-04 | 6.8 MEDIUM | 8.8 HIGH |
| This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie. | |||||
| CVE-2020-2321 | 1 Jenkins | 1 Shelve Project | 2020-12-04 | 5.8 MEDIUM | 8.1 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project. | |||||
| CVE-2020-13620 | 1 Fastweb | 2 Fastgate Gpon Fga2130fwb, Fastgate Gpon Fga2130fwb Firmware | 2020-12-03 | 6.8 MEDIUM | 8.8 HIGH |
| Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration. | |||||
| CVE-2020-29458 | 1 Textpattern | 1 Textpattern | 2020-12-02 | 6.8 MEDIUM | 8.8 HIGH |
| Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem. | |||||
| CVE-2020-26936 | 1 Cloudera | 1 Data Engineering | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack. | |||||
| CVE-2016-3734 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. | |||||
| CVE-2016-2157 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins. | |||||
| CVE-2015-5338 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php. | |||||
| CVE-2020-28649 | 1 Orbisius | 1 Child Theme Creator | 2020-11-27 | 6.8 MEDIUM | 8.8 HIGH |
| The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file. | |||||
| CVE-2019-7357 | 1 Intelliants | 1 Subrion Cms | 2020-11-25 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins. | |||||
| CVE-2020-27146 | 1 Tibco | 1 Iprocess Workspace Browser | 2020-11-24 | 6.8 MEDIUM | 8.8 HIGH |
| The Core component of TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser) contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a Cross Site Request Forgery (CSRF) attack on the affected system. A successful attack using this vulnerability requires human interaction from an authenticated user other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser): versions 11.6.0 and below. | |||||
| CVE-2020-27016 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2020-11-24 | 6.8 MEDIUM | 8.8 HIGH |
| Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into accessing an attacker-controlled web page. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. | |||||
| CVE-2020-15259 | 1 Auth0 | 1 Ad\/ldap Connector | 2020-11-18 | 6.8 MEDIUM | 8.8 HIGH |
| ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13. | |||||
| CVE-2020-24373 | 1 Free | 10 Freebox Delta, Freebox Delta Firmware, Freebox Mini and 7 more | 2020-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2015-9284 | 1 Omniauth | 1 Omniauth | 2020-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account. | |||||
| CVE-2017-14530 | 1 Crony Cronjob Manager Project | 1 Crony Cronjob Manager | 2020-11-10 | 6.0 MEDIUM | 8.0 HIGH |
| WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for WordPress has CSRF via the name parameter in an action=manage&do=create operation, as demonstrated by inserting XSS sequences. | |||||
| CVE-2020-27692 | 1 Imomobile | 2 Verve Connect Vh510, Verve Connect Vh510 Firmware | 2020-11-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (responsible for managing devices remotely). This makes it possible to remotely reboot the device or upload malicious firmware. | |||||
| CVE-2020-11485 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2020-11-05 | 6.8 MEDIUM | 8.8 HIGH |
| NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request, which can lead to information disclosure or code execution. | |||||
| CVE-2020-16256 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2020-11-03 | 9.3 HIGH | 8.8 HIGH |
| The API on Winston 1.5.4 devices is vulnerable to CSRF. | |||||
| CVE-2020-24033 | 1 Fs | 2 S3900 24t4s, S3900 24t4s Firmware | 2020-11-02 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges. | |||||
| CVE-2020-27975 | 1 Oscommerce | 1 Oscommerce | 2020-10-29 | 6.8 MEDIUM | 8.8 HIGH |
| osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. | |||||