Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-2160 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
|
|||||
| CVE-2020-2147 | 1 Jenkins | 1 Mac | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
|
|||||
| CVE-2020-2141 | 1 Jenkins | 1 P4 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.
|
|||||
| CVE-2020-2116 | 1 Jenkins | 1 Pipeline Github Notify Step | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2020-2098 | 1 Jenkins | 1 Sounds | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins.
|
|||||
| CVE-2020-2093 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.
|
|||||
| CVE-2020-2090 | 1 Jenkins | 1 Amazon Ec2 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
|
|||||
| CVE-2020-29553 | 1 Getgrav | 1 Grav Cms | 2024-11-21 | 5.1 MEDIUM | 8.8 HIGH |
|
The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
|
|||||
| CVE-2020-29458 | 1 Textpattern | 1 Textpattern | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
|
|||||
| CVE-2020-29292 | 1 Iball | 2 Wrd12en, Wrd12en Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.
|
|||||
| CVE-2020-29254 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could al ...
Show More |
|||||
| CVE-2020-29030 | 1 Secomea | 1 Gatemanager Firmware | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code. This issue affects: Secomea GateManager All versions prior to 9.4.
|
|||||
| CVE-2020-29004 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
|
|||||
| CVE-2020-28931 | 1 Epson | 2 Eps Tse Server 8, Eps Tse Server 8 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious website.
|
|||||
| CVE-2020-28858 | 1 Openasset | 1 Digital Asset Management | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions.
|
|||||
| CVE-2020-28846 | 1 Seacms | 1 Seacms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account.
|
|||||
| CVE-2020-28838 | 1 Opencart | 1 Opencart | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
|
|||||
| CVE-2020-28705 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
|
|||||
| CVE-2020-28649 | 1 Orbisius | 1 Child Theme Creator | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.
|
|||||
| CVE-2020-28644 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.
|
|||||
| CVE-2020-28452 | 1 Softwaremill | 1 Akka-http-session | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
|
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty.
|
|||||
| CVE-2020-28137 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
|
Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router.
|
|||||
| CVE-2020-28040 | 3 Canonical, Debian, Wordpress | 3 Ubuntu Linux, Debian Linux, Wordpress | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
|
|||||
| CVE-2020-27997 | 1 Smartstore | 1 Smartstorenet | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account).
|
|||||
| CVE-2020-27975 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
|
|||||
| CVE-2020-27692 | 1 Imomobile | 2 Verve Connect Vh510, Verve Connect Vh510 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (responsible for managing devices remotely). This makes it possible to remotely reboot the device or upload malicious firmware.
|
|||||
| CVE-2020-27574 | 1 Maxum | 1 Rumpus | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). If an authenticated user visits a malicious page, unintended actions could be performed in the web application as the authenticated user.
|
|||||
| CVE-2020-27379 | 1 Bookingcore | 1 Booking Core | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 . The CSRF token is not being validated when the request is sent as a GET method. This results in an unauthorized change in the user's email ID, which can later be used to reset the password. The new password will be sent to a modified email ID.
|
|||||
| CVE-2020-27146 | 1 Tibco | 1 Iprocess Workspace Browser | 2024-11-21 | 6.8 MEDIUM | 5.0 MEDIUM |
|
The Core component of TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser) contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a Cross Site Request Forgery (CSRF) attack on the affected system. A successful attack using this vulnerability requires human interaction from an authenticated user other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser): versions 11.6.0 and below.
|
|||||
| CVE-2020-27016 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into accessing an attacker-controlled web page. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.
|
|||||
| CVE-2020-26936 | 1 Cloudera | 1 Data Engineering | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
|
|||||
| CVE-2020-26912 | 1 Netgear | 28 D6200, D6200 Firmware, D7000 and 25 more | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
|
Certain NETGEAR devices are affected by CSRF. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62.
|
|||||
| CVE-2020-26802 | 1 Formalms | 1 Formalms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
|
|||||
| CVE-2020-26766 | 1 User Registration \& Login And User Management System With Admin Panel Project | 1 User Registration \& Login And User Management System With Admin Panel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1.
|
|||||
| CVE-2020-26641 | 1 Idreamsoft | 1 Icms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.
|
|||||
| CVE-2020-26522 | 1 Garfield Petshop Project | 1 Garfield Petshop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.
|
|||||
| CVE-2020-26516 | 1 Intland | 1 Codebeamer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A CSRF issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Requests sent to the server that trigger actions do not contain a CSRF token and can therefore be entirely predicted allowing attackers to cause the victim's browser to execute undesired actions in the web application through crafted requests.
|
|||||
| CVE-2020-26033 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
|
|||||
| CVE-2020-25986 | 1 Monocms | 1 Monocms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A Cross Site Request Forgery (CSRF) vulnerability in MonoCMS Blog 1.0 allows attackers to change the password of a user.
|
|||||
| CVE-2020-25950 | 1 Totalonlinesolutions | 1 Advanced Webhost Billing System | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page.
|
|||||