Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1434 | 1 Ibm | 14 San Volume Controller, San Volume Controller Firmware, Spectrum Virtualize and 11 more | 2020-08-19 | 6.8 MEDIUM | 8.8 HIGH |
| IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 139474. | |||||
| CVE-2013-6364 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2020-08-18 | 6.8 MEDIUM | 8.8 HIGH |
| Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book | |||||
| CVE-2013-6275 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php. | |||||
| CVE-2013-6365 | 3 Debian, Horde, Opensuse | 3 Debian Linux, Groupware, Opensuse | 2020-08-18 | 2.6 LOW | 5.3 MEDIUM |
| Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions | |||||
| CVE-2020-7029 | 1 Avaya | 2 Aura Communication Manager, Aura Messaging | 2020-08-17 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1. | |||||
| CVE-2020-14319 | 1 Redhat | 2 Amq Online, Enmasse | 2020-08-12 | 4.0 MEDIUM | 5.9 MEDIUM |
| It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This flaw affects all versions of AMQ-Online prior to 1.5.2 and Enmasse versions 0.31.0-rc1 up until but not including 0.32.2. | |||||
| CVE-2020-15135 | 1 Save-server Project | 1 Save-server | 2020-08-10 | 6.8 MEDIUM | 7.6 HIGH |
| save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. They can in addition create, delete and update users. If they updated the password of a user, that user's files would then be available. If the root password is updated, all files would be visible if they logged in with the new password. Note that due to the same origin policy malicious actors cannot view the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched in version 1.0.7. | |||||
| CVE-2020-5615 | 2 Calendar01 Project, Calendar02 Project | 2 Calendar01, Calendar02 | 2020-08-06 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2020-16253 | 1 Pghero Project | 1 Pghero | 2020-08-05 | 5.8 MEDIUM | 8.1 HIGH |
| The PgHero gem through 2.6.0 for Ruby allows CSRF. | |||||
| CVE-2020-16252 | 1 Field Test Project | 1 Field Test | 2020-08-05 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF. | |||||
| CVE-2020-15882 | 1 Munkireport Project | 1 Munkireport | 2020-08-05 | 5.8 MEDIUM | 8.1 HIGH |
| A CSRF issue in manager/delete_machine/{id} in MunkiReport before 5.6.3 allows attackers to delete arbitrary machines from the MunkiReport database. | |||||
| CVE-2020-5770 | 1 Teltonika-networks | 2 Trb245, Trb245 Firmware | 2020-08-04 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||||
| CVE-2017-16244 | 1 Octobercms | 1 October | 2020-08-03 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable. | |||||
| CVE-2020-10984 | 1 Gambio | 1 Gambio Gx | 2020-07-31 | 6.8 MEDIUM | 8.8 HIGH |
| Gambio GX before 4.0.1.0 allows admin/admin.php CSRF. | |||||
| CVE-2015-7715 | 1 Realtyna | 1 Realtyna Property Listing | 2020-07-30 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allows remote attackers to hijack the authentication of administrators for requests that add a user via an add_user action to administrator/index.php. | |||||
| CVE-2015-9233 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2020-07-29 | 6.8 MEDIUM | 8.8 HIGH |
| The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php. | |||||
| CVE-2019-16667 | 1 Netgate | 1 Pfsense | 2020-07-27 | 6.8 MEDIUM | 8.8 HIGH |
| diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing. | |||||
| CVE-2020-5611 | 1 Wpsocialrocket | 1 Social Sharing | 2020-07-27 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in Social Sharing Plugin versions prior to 1.2.10 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2020-5767 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2020-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery in Icegram Email Subscribers & Newsletters Plugin for WordPress v4.4.8 allows a remote attacker to send forged emails by tricking legitimate users into clicking a crafted link. | |||||
| CVE-2018-10232 | 1 Topdesk | 1 Topdesk | 2020-07-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified vectors. | |||||