Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36174 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
|
|||||
| CVE-2020-36140 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely).
|
|||||
| CVE-2020-35972 | 1 Yzmcms | 1 Yzmcms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html.
|
|||||
| CVE-2020-35950 | 1 Xcloner | 1 Xcloner | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).
|
|||||
| CVE-2020-35944 | 1 Pagelayer | 1 Pagelayer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
|
|||||
| CVE-2020-35943 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
|
|||||
| CVE-2020-35942 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
|
|||||
| CVE-2020-35778 | 1 Netgear | 4 Gs716t, Gs716t Firmware, Gs724t and 1 more | 2024-11-21 | 6.8 MEDIUM | 4.3 MEDIUM |
|
Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.
|
|||||
| CVE-2020-35773 | 1 Freehtmldesigns | 1 Site Offline | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.
|
|||||
| CVE-2020-35759 | 1 Bloofox | 1 Bloofoxcms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely).
|
|||||
| CVE-2020-35722 | 1 Quest | 1 Policy Authority For Unified Communications | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
|
|||||
| CVE-2020-35687 | 1 Php-fusion | 1 Phpfusion | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
|
|||||
| CVE-2020-35677 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group ...
Show More |
|||||
| CVE-2020-35675 | 1 Bigprof | 1 Online Invoicing System | 2024-11-21 | N/A | 8.8 HIGH |
|
BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administrator and effectively taking over the application.
|
|||||
| CVE-2020-35626 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
|
|||||
| CVE-2020-35615 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
|
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
|
|||||
| CVE-2020-35347 | 1 Cxuu | 1 Cxuucms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add.
|
|||||
| CVE-2020-35273 | 1 Egavilanmedia | 1 User Registration \& Login System With Admin Panel | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account.
|
|||||
| CVE-2020-35269 | 1 Nagios | 1 Nagios Core | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers.
|
|||||
| CVE-2020-35223 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The CSRF protection mechanism implemented in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices could be bypassed by omitting the CSRF token parameter in HTTP requests.
|
|||||
| CVE-2020-35217 | 1 Eclipse | 1 Vert.x-web | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF ...
Show More |
|||||
| CVE-2020-35135 | 1 Infolific | 1 Ultimate Category Excluder | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.
|
|||||
| CVE-2020-2321 | 1 Jenkins | 1 Shelve Project | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
|
|||||
| CVE-2020-2303 | 1 Jenkins | 1 Active Directory | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.
|
|||||
| CVE-2020-2296 | 1 Jenkins | 1 Shared Objects | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.
|
|||||
| CVE-2020-2295 | 1 Barchart | 1 Maven Cascade Release | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin.
|
|||||
| CVE-2020-2281 | 1 Jenkins | 1 Lockable Resources | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.
|
|||||
| CVE-2020-2280 | 1 Jenkins | 1 Warnings | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.
|
|||||
| CVE-2020-2273 | 1 Jenkins | 1 Elastest | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
|
|||||
| CVE-2020-2268 | 1 Jenkins | 1 Mongodb | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.
|
|||||
| CVE-2020-2241 | 1 Jenkins | 1 Database | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials.
|
|||||
| CVE-2020-2240 | 1 Jenkins | 1 Database | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
|
|||||
| CVE-2020-2237 | 1 Jenkins | 1 Flaky Test Handler | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler Plugin 1.0.4 and earlier allows attackers to rebuild a project at a previous git revision.
|
|||||
| CVE-2020-2235 | 1 Jenkins | 1 Pipeline Maven Integration | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
|
|||||
| CVE-2020-2215 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.
|
|||||
| CVE-2020-2203 | 1 Jenkins | 1 Fortify On Demand | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
|
|||||
| CVE-2020-2196 | 1 Jenkins | 1 Selenium | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
|
|||||
| CVE-2020-2192 | 1 Jenkins | 1 Self-organizing Swarm Modules | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.
|
|||||
| CVE-2020-2186 | 1 Jenkins | 1 Amazon Ec2 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
|
|||||
| CVE-2020-2184 | 1 Jenkins | 1 Current Versions Systems | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
|
|||||