Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-16610 | 1 Hoosk | 1 Hoosk | 2024-11-21 | 4.3 Medium |
| Hoosk Codeigniter CMS before 1.7.2 is affected by a Cross Site Request Forgery (CSRF). When an attacker induces authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention. | ||||
| CVE-2020-16256 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2024-11-21 | 8.8 High |
| The API on Winston 1.5.4 devices is vulnerable to CSRF. | ||||
| CVE-2020-16253 | 1 Pghero Project | 1 Pghero | 2024-11-21 | 8.1 High |
| The PgHero gem through 2.6.0 for Ruby allows CSRF. | ||||
| CVE-2020-16252 | 1 Field Test Project | 1 Field Test | 2024-11-21 | 4.3 Medium |
| The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF. | ||||
| CVE-2020-16208 | 1 Redlion | 4 N-tron 702-w, N-tron 702-w Firmware, N-tron 702m12-w and 1 more | 2024-11-21 | 8.8 High |
| The affected product is vulnerable to cross-site request forgery, which may allow an attacker to modify different configurations of a device by luring an authenticated user to click on a crafted link on the N-Tron 702-W / 702M12-W (all versions). | ||||
| CVE-2020-15882 | 1 Munkireport Project | 1 Munkireport | 2024-11-21 | 8.1 High |
| A CSRF issue in manager/delete_machine/{id} in MunkiReport before 5.6.3 allows attackers to delete arbitrary machines from the MunkiReport database. | ||||
| CVE-2020-15789 | 1 Siemens | 1 Polarion Subversion Webclient | 2024-11-21 | 8.1 High |
| A vulnerability has been identified in Polarion Subversion Webclient (All versions). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify contents of the web application. | ||||
| CVE-2020-15711 | 1 Misp | 1 Misp | 2024-11-21 | 8.8 High |
| In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | ||||
| CVE-2020-15700 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.3 Medium |
| An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoint of com_installer causes a CSRF vulnerability. | ||||
| CVE-2020-15695 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 6.3 Medium |
| An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability. | ||||
| CVE-2020-15660 | 1 Mozilla | 1 Geckodriver | 2024-11-21 | 8.8 High |
| Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution. | ||||
| CVE-2020-15600 | 1 Cmsuno Project | 1 Cmsuno | 2024-11-21 | 6.5 Medium |
| An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password. | ||||
| CVE-2020-15516 | 1 Mm Forum Project | 1 Mm Forum | 2024-11-21 | 5.4 Medium |
| The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | ||||
| CVE-2020-15400 | 1 Cakefoundation | 1 Cakephp | 2024-11-21 | 4.3 Medium |
| CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. | ||||
| CVE-2020-15259 | 1 Auth0 | 1 Ad\/ldap Connector | 2024-11-21 | 8.1 High |
| ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13. | ||||
| CVE-2020-15182 | 2 Soy Cms Project, Soy Inquiry Project | 2 Soy Cms, Soy Inquiry | 2024-11-21 | 8.4 High |
| The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328. | ||||
| CVE-2020-15156 | 1 Nodebb | 1 Blog Comments | 2024-11-21 | 6.8 Medium |
| In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation. | ||||
| CVE-2020-15151 | 2 Magento, Openmage | 2 Magento, Openmage Long Term Support | 2024-11-21 | 8 High |
| OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2. | ||||
| CVE-2020-15135 | 1 Save-server Project | 1 Save-server | 2024-11-21 | 6.7 Medium |
| save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. They can in addition create, delete and update users. If they updated the password of a user, that user's files would then be available. If the root password is updated, all files would be visible if they logged in with the new password. Note that due to the same origin policy malicious actors cannot view the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched in version 1.0.7. | ||||
| CVE-2020-15046 | 1 Supermicro | 3 X10drh-it, X10drh-it Bios, X10drh-it Firmware | 2024-11-21 | 8.8 High |
| The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88. | ||||