Vulnerabilities (CVE)

Filtered by CWE-352
Total 9162 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-36504 1 Wp-pro-quiz Project 1 Wp-pro-quiz 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check in place when deleting a quiz, which could allow an attacker to make a logged in admin delete arbitrary quiz on the blog
CVE-2020-36389 1 Civicrm 1 Civicrm 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2020-36334 1 Themegrill 1 Themegrill Demo Importer 2026-06-17 6.8 MEDIUM 8.8 HIGH
themegrill-demo-importer before 1.6.3 allows CSRF, as demonstrated by wiping the database.
CVE-2020-36283 1 Hidglobal 4 Omnikey 5127, Omnikey 5127 Firmware, Omnikey 5427 and 1 more 2026-06-17 6.8 MEDIUM 9.6 CRITICAL
HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2020-36247 1 Osc 1 Open Ondemand 2026-06-17 6.8 MEDIUM 8.8 HIGH
Open OnDemand before 1.5.7 and 1.6.x before 1.6.22 allows CSRF.
CVE-2020-36191 1 Jupyter 1 Jupyterhub 2026-06-17 3.5 LOW 4.5 MEDIUM
JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
CVE-2020-36174 1 Ninjaforms 1 Ninja Forms 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
CVE-2020-36140 1 Bloofox 1 Bloofoxcms 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely).
CVE-2020-36065 1 Flycms Project 1 Flycms 2026-06-17 N/A 8.8 HIGH
Cross Site Request Forgery (CSRF) vulnerability in FlyCms 1.0 allows attackers to add arbitrary administrator accounts via system/admin/admin_save.
CVE-2020-35972 1 Yzmcms 1 Yzmcms 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html.
CVE-2020-35950 1 Xcloner 1 Xcloner 2026-06-17 6.8 MEDIUM 9.8 CRITICAL
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).
CVE-2020-35944 1 Pagelayer 1 Pagelayer 2026-06-17 6.8 MEDIUM 8.8 HIGH
An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
CVE-2020-35943 1 Imagely 1 Nextgen Gallery 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
CVE-2020-35942 1 Imagely 1 Nextgen Gallery 2026-06-17 6.8 MEDIUM 8.8 HIGH
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
CVE-2020-35778 1 Netgear 4 Gs716t, Gs716t Firmware, Gs724t and 1 more 2026-06-17 6.8 MEDIUM 4.3 MEDIUM
Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.
CVE-2020-35773 1 Freehtmldesigns 1 Site Offline 2026-06-17 6.8 MEDIUM 8.8 HIGH
The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.
CVE-2020-35759 1 Bloofox 1 Bloofoxcms 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely).
CVE-2020-35722 1 Quest 1 Policy Authority For Unified Communications 2026-06-17 4.3 MEDIUM 6.5 MEDIUM
CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2020-35687 1 Php-fusion 1 Phpfusion 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
CVE-2020-35677 1 Bigprof 1 Online Invoicing System 2026-06-17 3.5 LOW 4.8 MEDIUM
BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection.