Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10671 | 1 Canon | 2 Oce Colorwave 500, Oce Colorwave 500 Firmware | 2020-03-23 | 6.8 MEDIUM | 8.8 HIGH |
| The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missing any form of CSRF protections. This is a system-wide issue. An attacker could perform administrative actions by targeting a logged-in administrative user. NOTE: this is fixed in the latest version. | |||||
| CVE-2018-21037 | 1 Intelliants | 1 Subrion | 2020-03-20 | 6.8 MEDIUM | 8.8 HIGH |
| Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. | |||||
| CVE-2020-4199 | 1 Ibm | 1 Tivoli Netcool\/omnibus | 2020-03-19 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 174910. | |||||
| CVE-2020-10241 | 1 Joomla | 1 Joomla\! | 2020-03-18 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF. | |||||
| CVE-2019-13199 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2020-03-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | |||||
| CVE-2019-13395 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2020-03-18 | 6.8 MEDIUM | 8.8 HIGH |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF against all /goform/ URIs. An attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. | |||||
| CVE-2020-10540 | 1 Untis | 1 Webuntis | 2020-03-18 | 6.8 MEDIUM | 8.8 HIGH |
| Untis WebUntis before 2020.9.6 allows CSRF for certain combinations of rights and modules. | |||||
| CVE-2019-17653 | 1 Fortinet | 1 Fortisiem | 2020-03-18 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in the user interface of Fortinet FortiSIEM 5.2.5 could allow a remote, unauthenticated attacker to perform arbitrary actions using an authenticated user's session by persuading the victim to follow a malicious link. | |||||
| CVE-2019-13170 | 1 Xerox | 2 Phaser 3320, Phaser 3320 Firmware | 2020-03-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | |||||
| CVE-2019-10673 | 1 Ultimatemember | 1 Ultimate Member | 2020-03-16 | 9.3 HIGH | 8.8 HIGH |
| A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress "password forget" form. | |||||
| CVE-2019-4726 | 1 Ibm | 1 Sterling B2b Integrator | 2020-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172363. | |||||
| CVE-2020-6206 | 1 Sap | 1 Cloud Platform Integration | 2020-03-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. This could mislead the victim to follow malicious instructions inserted by external attackers, leading to Cross Site Request Forgery. | |||||
| CVE-2019-16107 | 1 Phpbb | 1 Phpbb | 2020-03-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments. | |||||
| CVE-2020-7988 | 1 Phpipam | 1 Phpipam | 2020-03-05 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens. | |||||
| CVE-2020-10057 | 1 Metalgenix | 1 Genixcms | 2020-03-05 | 6.8 MEDIUM | 8.8 HIGH |
| GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broken access control. This issue exists because of an incomplete fix for CVE-2015-2680, in which "token" is used as a CSRF protection mechanism, but without validation that "token" is associated with an administrative user. | |||||
| CVE-2020-3148 | 1 Cisco | 1 Prime Network Registrar | 2020-03-05 | 4.3 MEDIUM | 7.1 HIGH |
| A vulnerability in the web-based interface of Cisco Prime Network Registrar (CPNR) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections in the web-based interface. An attacker could exploit this vulnerability by persuading a targeted user, with an active administrative session on the affected device, to click a malicious link. A successful exploit could allow an attacker to change the device's configuration, which could include the ability to edit or create user accounts of any privilege level. Some changes to the device's configuration could negatively impact the availability of networking services for other devices on networks managed by CPNR. | |||||
| CVE-2019-20487 | 1 Netgear | 2 Wnr1000, Wnr1000 Firmware | 2020-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the setup.cgi?todo=save_htp_account URI. | |||||
| CVE-2015-1583 | 1 Atutor | 1 Atutor | 2020-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php. | |||||
| CVE-2020-5402 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2020-03-03 | 6.8 MEDIUM | 8.8 HIGH |
| In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers. | |||||
| CVE-2017-8848 | 1 Allen Disk Project | 1 Allen Disk | 2020-03-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password. | |||||