Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15043 | 1 Iball | 2 Wrb303n, Wrb303n Firmware | 2024-11-21 | 6.5 Medium |
| iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling remote management, enabling DHCP, or modifying the subnet range for IP addresses. | ||||
| CVE-2020-15014 | 1 Pramod | 1 Blogcms | 2024-11-21 | 8.8 High |
| pramodmahato BlogCMS through 2019-12-31 has admin/changepass.php CSRF. | ||||
| CVE-2020-14989 | 1 Bloomreach | 1 Experience Manager | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows CSRF if the attacker uses GET where POST was intended. | ||||
| CVE-2020-14506 | 1 Philips | 1 Clinical Collaboration Platform | 2024-11-21 | 4.3 Medium |
| Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly. | ||||
| CVE-2020-14432 | 1 Netgear | 24 Rbk752, Rbk752 Firmware, Rbk753 and 21 more | 2024-11-21 | 8.8 High |
| Certain NETGEAR devices are affected by CSRF. This affects RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 before 3.2.15.25, RBS840 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. | ||||
| CVE-2020-14369 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-11-21 | 6.3 Medium |
| This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth. | ||||
| CVE-2020-14368 | 1 Eclipse | 1 Che | 2024-11-21 | 7.1 High |
| A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | ||||
| CVE-2020-14319 | 1 Redhat | 2 Amq Online, Enmasse | 2024-11-21 | 5.9 Medium |
| It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This flaw affects all versions of AMQ-Online prior to 1.5.2 and Enmasse versions 0.31.0-rc1 up until but not including 0.32.2. | ||||
| CVE-2020-14203 | 1 Ibi | 1 Webfocus Business Intelligence | 2024-11-21 | 8.8 High |
| WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request Forgery (CSRF) attack against administrative users within the /ibi_apps/WFServlet(.ibfs) endpoint. The impact may be creation of an administrative user. It can also be exploited in conjunction with CVE-2016-9044. | ||||
| CVE-2020-14043 | 1 Codiad | 1 Codiad | 2024-11-21 | 8.8 High |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad v1.7.8 and later. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | ||||
| CVE-2020-14025 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 8.8 High |
| Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as installing new modules or changing a password. | ||||
| CVE-2020-13868 | 1 Verbb | 1 Comments | 2024-11-21 | 6.5 Medium |
| An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity. | ||||
| CVE-2020-13786 | 1 Dlink | 2 Dir-865l, Dir-865l Firmware | 2024-11-21 | 8.8 High |
| D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF. | ||||
| CVE-2020-13760 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 8.8 High |
| In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF. | ||||
| CVE-2020-13674 | 1 Drupal | 1 Drupal | 2024-11-21 | 6.5 Medium |
| The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. | ||||
| CVE-2020-13673 | 1 Drupal | 1 Entity Embed | 2024-11-21 | 6.1 Medium |
| The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting. | ||||
| CVE-2020-13663 | 1 Drupal | 1 Drupal | 2024-11-21 | 8.8 High |
| Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. | ||||
| CVE-2020-13658 | 1 Lansweeper | 1 Lansweeper | 2024-11-21 | 8.0 High |
| In Lansweeper 8.0.130.17, the web console is vulnerable to a CSRF attack that would allow a low-level Lansweeper user to elevate their privileges within the application. | ||||
| CVE-2020-13643 | 1 Siteorigin | 1 Page Builder | 2024-11-21 | 8.8 High |
| An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser. | ||||
| CVE-2020-13642 | 1 Siteorigin | 1 Page Builder | 2024-11-21 | 8.8 High |
| An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser. | ||||