Total
7410 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25262 | 1 Pyrocms | 1 Pyrocms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted. | |||||
| CVE-2020-25252 | 1 Hyland | 1 Onbase | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account). | |||||
| CVE-2020-25142 | 1 Observium | 1 Observium | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests, such as for adding Device Settings via the /addsrv URI. | |||||
| CVE-2020-25095 | 1 Logrhythm | 1 Platform Manager | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution. | |||||
| CVE-2020-25070 | 1 Usvn | 1 Usvn | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| USVN (aka User-friendly SVN) before 1.0.10 allows CSRF, related to the lack of the SameSite Strict feature. | |||||
| CVE-2020-25015 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. | |||||
| CVE-2020-24984 | 1 Quadbase | 1 Espressreports Es | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Quadbase EspressReports ES 7 Update 9. It allows CSRF, whereby an attacker may be able to trick an authenticated admin level user into uploading malicious files to the web server. | |||||
| CVE-2020-24983 | 1 Quadbase | 1 Espressreports Es | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will utilise the target admin session and perform the authenticated request (to change the Dashboard name) as if the victim had done so themselves, aka CSRF. | |||||
| CVE-2020-24982 | 1 Quadbase | 1 Espressdashboard | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Quadbase ExpressDashboard (EDAB) 7 Update 9. It allows CSRF. An attacker may be able to trick an authenticated user into changing the email address associated with their account. | |||||
| CVE-2020-24922 | 1 Xuxueli | 1 Xxl-job | 2024-11-21 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file. | |||||
| CVE-2020-24847 | 1 Fruitywifi Project | 1 Fruitywifi | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase. | |||||
| CVE-2020-24740 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | |||||
| CVE-2020-24739 | 1 Idreamsoft | 1 Icms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | |||||
| CVE-2020-24570 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link. | |||||
| CVE-2020-24373 | 1 Free | 10 Freebox Delta, Freebox Delta Firmware, Freebox Mini and 7 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2020-24271 | 1 Easycms | 1 Easycms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF vulnerability was discovered in EasyCMS v1.6 that can add an admin account through index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent, then post username=***&password=***. | |||||
| CVE-2020-24130 | 1 Ponzu-cms | 1 Ponzu | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
| A cross site request forgery (CSRF) vulnerability in the configure.html component of Ponzu 0.11.0 allows attackers to change user and administrator credentials, and add or delete administrator accounts. | |||||
| CVE-2020-24033 | 1 Fs | 2 S3900 24t4s, S3900 24t4s Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges. | |||||
| CVE-2020-23960 | 1 Fork-cms | 1 Fork Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale. | |||||
| CVE-2020-23837 | 1 Multi User Project | 1 Multi User | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL. | |||||