Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8658 | 1 Bestwebsoft | 1 Htaccess | 2020-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| The BestWebSoft Htaccess plugin through 1.8.1 for WordPress allows wp-admin/admin.php?page=htaccess.php&action=htaccess_editor CSRF. The flag htccss_nonce_name passes the nonce to WordPress but the plugin does not validate it correctly, resulting in a wrong implementation of anti-CSRF protection. In this way, an attacker is able to direct the victim to a malicious web page that modifies the .htaccess file, and takes control of the website. | |||||
| CVE-2020-8425 | 1 Cups Easy \(purchase \& Inventory\) Project | 1 Cups Easy \(purchase \& Inventory\) | 2020-02-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php. | |||||
| CVE-2011-0525 | 1 Batavi | 1 Batavi | 2020-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| Batavi before 1.0 has CSRF. | |||||
| CVE-2020-8420 | 1 Joomla | 1 Joomla\! | 2020-02-07 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability. | |||||
| CVE-2020-8419 | 1 Joomla | 1 Joomla\! | 2020-02-06 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities. | |||||
| CVE-2020-8417 | 1 Codesnippets | 1 Code Snippets | 2020-02-06 | 6.8 MEDIUM | 8.8 HIGH |
| The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu. | |||||
| CVE-2020-6849 | 1 Hutchhouse | 1 Marketo Forms And Tracking | 2020-02-06 | 6.8 MEDIUM | 8.8 HIGH |
| The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allows wp-admin/admin.php?page=marketo_fat CSRF with resultant XSS. | |||||
| CVE-2019-4613 | 1 Ibm | 1 Planning Analytics | 2020-02-06 | 6.8 MEDIUM | 8.8 HIGH |
| IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 168524. | |||||
| CVE-2020-8505 | 1 Arox | 1 School Management Software Php\/mysql | 2020-02-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user. | |||||
| CVE-2020-8504 | 1 Arox | 1 School Management Software Php\/mysql | 2020-02-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user. | |||||
| CVE-2019-3864 | 1 Redhat | 1 Quay | 2020-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account. | |||||
| CVE-2013-4865 | 1 Micasaverde | 2 Veralite, Veralite Firmware | 2020-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter. | |||||
| CVE-2013-4240 | 1 Hitmyserver | 1 Hms Testimonials | 2020-02-03 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add new testimonials via the hms-testimonials-addnew page, (2) add new groups via the hms-testimonials-addnewgroup page, (3) change default settings via the hms-testimonials-settings page, (4) change advanced settings via the hms-testimonials-settings-advanced page, (5) change custom fields settings via the hms-testimonials-settings-fields page, or (6) change template settings via the hms-testimonials-templates-new page to wp-admin/admin.php. | |||||
| CVE-2020-7965 | 1 Webargs Project | 1 Webargs | 2020-02-03 | 6.8 MEDIUM | 8.8 HIGH |
| flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. | |||||
| CVE-2015-5483 | 1 Private Only Project | 1 Private Only | 2020-01-31 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete posts, or (3) modify PHP files via unspecified vectors, or (4) conduct cross-site scripting (XSS) attacks via the po_logo parameter in the privateonly.php page to wp-admin/options-general.php. | |||||
| CVE-2013-3093 | 1 Asus | 14 Dsl-n55u, Dsl-n55u Firmware, Rt-ac66u and 11 more | 2020-01-31 | 9.3 HIGH | 8.8 HIGH |
| ASUS RT-N56U devices allow CSRF. | |||||
| CVE-2018-12415 | 1 Tibco | 1 Enterprise Message Service | 2020-01-29 | 6.8 MEDIUM | 8.8 HIGH |
| The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Message Service: versions 8.4.0 and below, TIBCO Enterprise Message Service - Community Edition: versions 8.4.0 and below, and TIBCO Enterprise Message Service - Developer Edition: versions 8.4.0 and below. | |||||
| CVE-2012-2713 | 2 Browserid Project, Drupal | 2 Browserid, Drupal | 2020-01-27 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site. | |||||
| CVE-2011-3582 | 1 Anelectron | 1 Advanced Electron Forums | 2020-01-27 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions. | |||||
| CVE-2011-3612 | 1 Usebb | 1 Usebb | 2020-01-24 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12. | |||||