Total
7410 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29458 | 1 Textpattern | 1 Textpattern | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem. | |||||
| CVE-2020-29292 | 1 Iball | 2 Wrd12en, Wrd12en Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses. | |||||
| CVE-2020-29254 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited. | |||||
| CVE-2020-29030 | 1 Secomea | 1 Gatemanager Firmware | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code. This issue affects: Secomea GateManager All versions prior to 9.4. | |||||
| CVE-2020-29004 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | |||||
| CVE-2020-28931 | 1 Epson | 2 Eps Tse Server 8, Eps Tse Server 8 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious website. | |||||
| CVE-2020-28858 | 1 Openasset | 1 Digital Asset Management | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions. | |||||
| CVE-2020-28846 | 1 Seacms | 1 Seacms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account. | |||||
| CVE-2020-28838 | 1 Opencart | 1 Opencart | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart. | |||||
| CVE-2020-28705 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3. | |||||
| CVE-2020-28649 | 1 Orbisius | 1 Child Theme Creator | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file. | |||||
| CVE-2020-28644 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6. | |||||
| CVE-2020-28452 | 1 Softwaremill | 1 Akka-http-session | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
| This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty. | |||||
| CVE-2020-28403 | 1 Iris | 1 Star | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application. | |||||
| CVE-2020-28137 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
| Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router. | |||||
| CVE-2020-28040 | 3 Canonical, Debian, Wordpress | 3 Ubuntu Linux, Debian Linux, Wordpress | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. | |||||
| CVE-2020-27997 | 1 Smartstore | 1 Smartstorenet | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account). | |||||
| CVE-2020-27975 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. | |||||
| CVE-2020-27692 | 1 Imomobile | 2 Verve Connect Vh510, Verve Connect Vh510 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (responsible for managing devices remotely). This makes it possible to remotely reboot the device or upload malicious firmware. | |||||
| CVE-2020-27574 | 1 Maxum | 1 Rumpus | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). If an authenticated user visits a malicious page, unintended actions could be performed in the web application as the authenticated user. | |||||