Total
7410 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13643 | 1 Siteorigin | 1 Page Builder | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser. | |||||
| CVE-2020-13642 | 1 Siteorigin | 1 Page Builder | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser. | |||||
| CVE-2020-13641 | 1 Infolific | 1 Real-time Find And Replace | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allowing for that be executed later in the victims browser. | |||||
| CVE-2020-13620 | 1 Fastweb | 2 Fastgate Gpon Fga2130fwb, Fastgate Gpon Fga2130fwb Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration. | |||||
| CVE-2020-13569 | 1 Open-emr | 1 Openemr | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2020-13527 | 1 Lantronix | 4 Sgx, Sgx Firmware, Xport Edge and 1 more | 2024-11-21 | 3.5 LOW | 4.5 MEDIUM |
| An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2020-13460 | 1 Tufin | 1 Securetrack | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were present in Tufin SecureTrack, affecting all versions prior to R20-2 GA. | |||||
| CVE-2020-13458 | 1 Verbb | 1 Image Resizer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action. | |||||
| CVE-2020-13426 | 1 Bdtask | 1 Multi-scheduler | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known. | |||||
| CVE-2020-13416 | 1 Aviatrix | 1 Controller | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets. | |||||
| CVE-2020-13412 | 1 Aviatrix | 1 Controller | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Aviatrix Controller before 5.4.1204. An API call on the web interface lacked a session token check to control access, leading to CSRF. | |||||
| CVE-2020-13350 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 3.1 LOW |
| CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9. | |||||
| CVE-2020-13259 | 1 Rad | 2 Secflow-1v, Secflow-1v Firmware | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260. | |||||
| CVE-2020-13231 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. | |||||
| CVE-2020-13186 | 1 Teradici | 1 Cloud Access Connector | 2024-11-21 | 2.6 LOW | 6.5 MEDIUM |
| An Anti CSRF mechanism was discovered missing in the Teradici Cloud Access Connector v31 and earlier in a specific web form, which allowed an attacker with knowledge of both a machineID and user GUID to modify data if a user clicked a malicious link. | |||||
| CVE-2020-13157 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed. | |||||
| CVE-2020-13156 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI. | |||||
| CVE-2020-13155 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI. | |||||
| CVE-2020-12841 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload imae files via /index.php | |||||
| CVE-2020-12840 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| ismartgate PRO 1.5.9 is vulnerable to CSRF that allows remote attackers to upload sound files via /index.php | |||||