Search
Total
3999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8166 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails | 2020-11-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. | |||||
| CVE-2020-15259 | 1 Auth0 | 1 Ad\/ldap Connector | 2020-11-18 | 6.8 MEDIUM | 8.8 HIGH |
| ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13. | |||||
| CVE-2020-24373 | 1 Free | 10 Freebox Delta, Freebox Delta Firmware, Freebox Mini and 7 more | 2020-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2020-22273 | 1 Creativeitem | 1 Neoflex Video Subscription System | 2020-11-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Neoflex Video Subscription System Version 2.0 is affected by CSRF which allows the Website's Settings to be changed (such as Payment Settings) | |||||
| CVE-2015-9284 | 1 Omniauth | 1 Omniauth | 2020-11-13 | 6.8 MEDIUM | 8.8 HIGH |
| The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account. | |||||
| CVE-2020-4651 | 1 Ibm | 1 Maximo Spatial Asset Management | 2020-11-12 | 2.9 LOW | 4.8 MEDIUM |
| IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 186024. | |||||
| CVE-2020-5517 | 1 Blueonyx | 2 5209r, 5209r Firmware | 2020-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in the /login URI in BlueOnyx 5209R allows an attacker to access the dashboard and perform scraping or other analysis. | |||||
| CVE-2017-14530 | 1 Crony Cronjob Manager Project | 1 Crony Cronjob Manager | 2020-11-10 | 6.0 MEDIUM | 8.0 HIGH |
| WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for WordPress has CSRF via the name parameter in an action=manage&do=create operation, as demonstrated by inserting XSS sequences. | |||||
| CVE-2016-11015 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter. | |||||
| CVE-2020-27692 | 1 Imomobile | 2 Verve Connect Vh510, Verve Connect Vh510 Firmware | 2020-11-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (responsible for managing devices remotely). This makes it possible to remotely reboot the device or upload malicious firmware. | |||||
| CVE-2020-25015 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2020-11-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. | |||||
| CVE-2020-2303 | 1 Jenkins | 1 Active Directory | 2020-11-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials. | |||||
| CVE-2020-11485 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2020-11-05 | 6.8 MEDIUM | 8.8 HIGH |
| NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request, which can lead to information disclosure or code execution. | |||||
| CVE-2020-16256 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2020-11-03 | 9.3 HIGH | 8.8 HIGH |
| The API on Winston 1.5.4 devices is vulnerable to CSRF. | |||||
| CVE-2020-24033 | 1 Fs | 2 S3900 24t4s, S3900 24t4s Firmware | 2020-11-02 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges. | |||||
| CVE-2020-27975 | 1 Oscommerce | 1 Oscommerce | 2020-10-29 | 6.8 MEDIUM | 8.8 HIGH |
| osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. | |||||
| CVE-2020-3456 | 1 Cisco | 17 Firepower 4110, Firepower 4112, Firepower 4115 and 14 more | 2020-10-28 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the Cisco Firepower Chassis Manager (FCM) of Cisco FXOS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected device. The vulnerability is due to insufficient CSRF protections for the FCM interface. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could take unauthorized actions on behalf of the targeted user. | |||||
| CVE-2020-24847 | 1 Fruitywifi Project | 1 Fruitywifi | 2020-10-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase. | |||||
| CVE-2020-18129 | 1 Eyoucms | 1 Eyoucms | 2020-10-27 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php. | |||||
| CVE-2016-3029 | 1 Ibm | 5 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile 8.0 Firmware, Security Access Manager For Mobile Appliance and 2 more | 2020-10-27 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2020-5790 | 1 Nagios | 1 Nagios Xi | 2020-10-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||||
| CVE-2020-4773 | 1 Ibm | 1 Curam Social Program Management | 2020-10-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10, which is an attack that forces a user to execute unwanted actions on the web application while they are currently authenticated. This applies to a single server class only, with no impact to remainder of web application. IBM X-Force ID: 189151. | |||||
| CVE-2020-25263 | 1 Pyrocms | 1 Pyrocms | 2020-10-19 | 5.8 MEDIUM | 7.1 HIGH |
| PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted. | |||||
| CVE-2020-13760 | 1 Joomla | 1 Joomla\! | 2020-10-19 | 6.8 MEDIUM | 8.8 HIGH |
| In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF. | |||||
| CVE-2015-8131 | 1 Elastic | 1 Kibana | 2020-10-19 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2020-25262 | 1 Pyrocms | 1 Pyrocms | 2020-10-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted. | |||||
| CVE-2020-26522 | 1 Garfield Petshop Project | 1 Garfield Petshop | 2020-10-16 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts. | |||||
| CVE-2020-5642 | 1 Onwebchat | 1 Live Chat - Live Support | 2020-10-16 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Live Chat - Live support version 3.1.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2020-26912 | 1 Netgear | 28 D6200, D6200 Firmware, D7000 and 25 more | 2020-10-16 | 6.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by CSRF. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. | |||||
| CVE-2020-13658 | 1 Lansweeper | 1 Lansweeper | 2020-10-15 | 6.0 MEDIUM | 8.0 HIGH |
| In Lansweeper 8.0.130.17, the web console is vulnerable to a CSRF attack that would allow a low-level Lansweeper user to elevate their privileges within the application. | |||||
| CVE-2020-26802 | 1 Formalms | 1 Formalms | 2020-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover. | |||||
| CVE-2020-25986 | 1 Monocms | 1 Monocms | 2020-10-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross Site Request Forgery (CSRF) vulnerability in MonoCMS Blog 1.0 allows attackers to change the password of a user. | |||||
| CVE-2020-2295 | 1 Barchart | 1 Maven Cascade Release | 2020-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin. | |||||
| CVE-2020-2296 | 1 Jenkins | 1 Shared Objects | 2020-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects. | |||||
| CVE-2020-23837 | 1 Multi User Project | 1 Multi User | 2020-10-08 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL. | |||||
| CVE-2020-12123 | 1 Wavlink | 2 Wn530h4, Wn530h4 Firmware | 2020-10-08 | 7.8 HIGH | 8.1 HIGH |
| CSRF vulnerabilities in the /cgi-bin/ directory of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to remotely access router endpoints, because these endpoints do not contain CSRF tokens. If a user is authenticated in the router portal, then this attack will work. | |||||
| CVE-2020-5786 | 1 Teltonika-networks | 2 Trb245, Trb245 Firmware | 2020-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||||
| CVE-2015-3655 | 1 Arubanetworks | 1 Clearpass | 2020-10-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to hijack the authentication of administrators by leveraging improper enforcement of the anti-CSRF token. | |||||
| CVE-2020-3124 | 1 Cisco | 1 Hosted Collaboration Mediation Fulfillment | 2020-10-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based interface of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user. | |||||
| CVE-2020-3135 | 1 Cisco | 1 Unified Communications Manager | 2020-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. | |||||
| CVE-2020-25142 | 1 Observium | 1 Observium | 2020-09-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests, such as for adding Device Settings via the /addsrv URI. | |||||
| CVE-2020-5783 | 1 Ignitenet | 1 Helios Glinq | 2020-09-29 | 5.8 MEDIUM | 5.4 MEDIUM |
| In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms. | |||||
| CVE-2020-2280 | 1 Jenkins | 1 Warnings | 2020-09-28 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code. | |||||
| CVE-2019-16009 | 1 Cisco | 2 Ios, Ios Xe | 2020-09-28 | 7.6 HIGH | 8.8 HIGH |
| A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. | |||||
| CVE-2020-12840 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2020-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload sound files via /index.php | |||||
| CVE-2020-12841 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2020-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload imae files via /index.php | |||||
| CVE-2020-12282 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2020-09-27 | 6.8 MEDIUM | 8.8 HIGH |
| iSmartgate PRO 1.5.9 is vulnerable to CSRF via the busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.) | |||||
| CVE-2020-12281 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2020-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| iSmartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to create a new user via /index.php. | |||||
| CVE-2020-12280 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2020-09-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| iSmartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php. | |||||
| CVE-2020-14025 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2020-09-26 | 6.8 MEDIUM | 8.8 HIGH |
| Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as installing new modules or changing a password. | |||||