Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13259 | 1 Rad | 2 Secflow-1v, Secflow-1v Firmware | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary ac ...
Show More |
|||||
| CVE-2020-13231 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
|
|||||
| CVE-2020-13186 | 1 Teradici | 1 Cloud Access Connector | 2024-11-21 | 2.6 LOW | 6.5 MEDIUM |
|
An Anti CSRF mechanism was discovered missing in the Teradici Cloud Access Connector v31 and earlier in a specific web form, which allowed an attacker with knowledge of both a machineID and user GUID to modify data if a user clicked a malicious link.
|
|||||
| CVE-2020-13157 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.
|
|||||
| CVE-2020-13156 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.
|
|||||
| CVE-2020-13155 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.
|
|||||
| CVE-2020-12841 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload imae files via /index.php
|
|||||
| CVE-2020-12840 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload sound files via /index.php
|
|||||
| CVE-2020-12781 | 1 Combodo | 1 Itop | 2024-11-21 | 6.8 MEDIUM | 5.7 MEDIUM |
|
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.
|
|||||
| CVE-2020-12626 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
|
|||||
| CVE-2020-12511 | 1 Pepperl-fuchs | 24 Io-link Master 4-eip, Io-link Master 4-eip Firmware, Io-link Master 4-pnio and 21 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.
|
|||||
| CVE-2020-12502 | 2 Korenix, Pepperl-fuchs | 46 Jetnet 4510, Jetnet 4510 Firmware, Jetnet 4706 and 43 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below is prone to unauthenticated device administration.
|
|||||
| CVE-2020-12480 | 1 Lightbend | 1 Play Framework | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.
|
|||||
| CVE-2020-12462 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
|
|||||
| CVE-2020-12427 | 3 Apple, Microsoft, Westerndigital | 3 Macos, Windows, Wd Discovery | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Western Digital WD Discovery application before 3.8.229 for MyCloud Home on Windows and macOS is vulnerable to CSRF, with impacts such as stealing data, modifying disk contents, or exhausting disk space.
|
|||||
| CVE-2020-12282 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
iSmartgate PRO 1.5.9 is vulnerable to CSRF via the busca parameter in the form used for searching for users, accessible via /index.php. (This can be combined with reflected XSS.)
|
|||||
| CVE-2020-12281 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
iSmartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to create a new user via /index.php.
|
|||||
| CVE-2020-12280 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
iSmartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to open/close a specified garage door/gate via /isg/opendoor.php.
|
|||||
| CVE-2020-12257 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) because it lacks implementation of CSRF protection such as a CSRF token. An attacker can leverage this vulnerability by creating a form (add a user, delete a user, or edit a user).
|
|||||
| CVE-2020-12123 | 1 Wavlink | 2 Wn530h4, Wn530h4 Firmware | 2024-11-21 | 7.8 HIGH | 8.1 HIGH |
|
CSRF vulnerabilities in the /cgi-bin/ directory of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to remotely access router endpoints, because these endpoints do not contain CSRF tokens. If a user is authenticated in the router portal, then this attack will work.
|
|||||
| CVE-2020-12076 | 1 Supsystic | 1 Data Tables Generator | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks CSRF nonce checks for AJAX actions. One consequence of this is stored XSS.
|
|||||
| CVE-2020-11825 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
|
|||||
| CVE-2020-11818 | 1 Rukovoditel | 1 Rukovoditel | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.
|
|||||
| CVE-2020-11706 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Interface allows CSRF for actions such as: Change any username and password, admin ones included; Create/Delete users; Enable/Disable Services; Set a rogue update proxy; and Shutdown the server.
|
|||||
| CVE-2020-11701 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. CSRF exists in the User Web Interface, as demonstrated by granting filesystem access to the public for uploading and deleting files and directories.
|
|||||
| CVE-2020-11682 | 1 Castel | 2 Nextgen Dvr, Nextgen Dvr Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request will succeed.
|
|||||
| CVE-2020-11627 | 1 Primekey | 1 Ejbca | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. A Cross Site Request Forgery (CSRF) issue has been found in the CA UI.
|
|||||
| CVE-2020-11553 | 1 Castlerock | 1 Snmpc Online | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. There is pervasive CSRF.
|
|||||
| CVE-2020-11485 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request, which can lead to information disclosure or code execution.
|
|||||
| CVE-2020-11438 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
LibreHealth EMR v2.0.0 is affected by systemic CSRF.
|
|||||
| CVE-2020-11069 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
|
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnera ...
Show More |
|||||
| CVE-2020-11060 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 9.0 HIGH | 7.4 HIGH |
|
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
|
|||||
| CVE-2020-11003 | 1 Fraction | 1 Oasis | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
|
Oasis before version 2.15.0 has a potential DNS rebinding or CSRF vulnerability. If you're running a vulnerable application on your computer and an attacker can trick you into visiting a malicious website, they could use DNS rebinding and CSRF attacks to read/write to vulnerable applications. This has been patched in 2.15.0.
|
|||||
| CVE-2020-10986 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
|
A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.
|
|||||
| CVE-2020-10984 | 1 Gambio | 1 Gambio Gx | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Gambio GX before 4.0.1.0 allows admin/admin.php CSRF.
|
|||||
| CVE-2020-10892 | 2 Foxitsoftware, Microsoft | 3 Phantompdf, Reader, Windows | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the communication API. The issue lies in the handling of the CombineFiles command, which allows an arbitrary file write with attacker controlled data. An attacker can leverage this vulnerability to execute co ...
Show More |
|||||
| CVE-2020-10890 | 2 Foxitsoftware, Microsoft | 3 Phantompdf, Reader, Windows | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the communication API. The issue lies in the handling of the ConvertToPDF command, which allows an arbitrary file write with attacker controlled data. An attacker can leverage this vulnerability to execute co ...
Show More |
|||||
| CVE-2020-10771 | 3 Infinispan, Netapp, Redhat | 3 Infinispan-server-rest, Oncommand Insight, Data Grid | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
|
A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.
|
|||||
| CVE-2020-10734 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.
|
|||||
| CVE-2020-10671 | 1 Canon | 2 Oce Colorwave 500, Oce Colorwave 500 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missing any form of CSRF protections. This is a system-wide issue. An attacker could perform administrative actions by targeting a logged-in administrative user. NOTE: this is fixed in the latest version.
|
|||||