CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2020(CSRF)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-35778 352 CSRF 2020-12-30 2020-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.
2 CVE-2020-35773 352 CSRF 2020-12-29 2021-03-31
4.3
None Remote Medium Not required None Partial None
The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.
3 CVE-2020-35677 79 XSS CSRF 2020-12-24 2021-07-21
3.5
None Remote Medium ??? None Partial None
BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection.
4 CVE-2020-35626 352 CSRF 2020-12-21 2020-12-22
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
5 CVE-2020-35615 352 CSRF 2020-12-28 2020-12-30
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
6 CVE-2020-35347 352 CSRF 2020-12-26 2020-12-28
4.3
None Remote Medium Not required None Partial None
CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add.
7 CVE-2020-35273 352 +Priv CSRF 2020-12-21 2020-12-22
6.0
None Remote Medium ??? Partial Partial Partial
EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account.
8 CVE-2020-35269 352 CSRF 2020-12-23 2021-03-02
6.8
None Remote Medium Not required Partial Partial Partial
Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers.
9 CVE-2020-35135 352 CSRF 2020-12-11 2021-03-31
6.8
None Remote Medium Not required Partial Partial Partial
The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.
10 CVE-2020-29458 352 CSRF 2020-12-02 2020-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
11 CVE-2020-29303 79 XSS CSRF 2020-12-14 2020-12-15
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token.
12 CVE-2020-29254 352 CSRF File Inclusion 2020-12-11 2020-12-14
6.8
None Remote Medium Not required Partial Partial Partial
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.
13 CVE-2020-28931 352 CSRF 2020-12-16 2020-12-17
6.8
None Remote Medium Not required Partial Partial Partial
Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious website.
14 CVE-2020-28858 352 CSRF 2020-12-14 2020-12-15
6.8
None Remote Medium Not required Partial Partial Partial
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions.
15 CVE-2020-28838 352 CSRF 2020-12-11 2020-12-15
3.5
None Remote Medium ??? None Partial None
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
16 CVE-2020-28649 352 CSRF 2020-11-16 2020-11-27
6.8
None Remote Medium Not required Partial Partial Partial
The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.
17 CVE-2020-28040 352 CSRF 2020-11-02 2020-11-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
18 CVE-2020-27975 352 CSRF 2020-10-28 2020-10-29
6.8
None Remote Medium Not required Partial Partial Partial
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
19 CVE-2020-27692 352 CSRF 2020-11-04 2020-11-10
6.8
None Remote Medium Not required Partial Partial Partial
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (responsible for managing devices remotely). This makes it possible to remotely reboot the device or upload malicious firmware.
20 CVE-2020-27146 352 CSRF 2020-11-10 2020-11-24
6.8
None Remote Medium Not required Partial Partial Partial
The Core component of TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser) contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a Cross Site Request Forgery (CSRF) attack on the affected system. A successful attack using this vulnerability requires human interaction from an authenticated user other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser): versions 11.6.0 and below.
21 CVE-2020-27016 352 CSRF 2020-11-09 2020-11-24
6.8
None Remote Medium Not required Partial Partial Partial
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into accessing an attacker-controlled web page. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.
22 CVE-2020-26936 352 CSRF 2020-11-26 2020-12-01
6.8
None Remote Medium Not required Partial Partial Partial
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
23 CVE-2020-26912 352 CSRF 2020-10-09 2020-10-16
6.8
None Remote Medium Not required Partial Partial Partial
Certain NETGEAR devices are affected by CSRF. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62.
24 CVE-2020-26802 352 CSRF 2020-10-08 2020-10-15
6.8
None Remote Medium Not required Partial Partial Partial
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
25 CVE-2020-26766 352 CSRF 2020-12-26 2020-12-28
6.8
None Remote Medium Not required Partial Partial Partial
A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1.
26 CVE-2020-26522 352 CSRF 2020-10-09 2020-10-16
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.
27 CVE-2020-26251 346 CSRF 2020-12-18 2020-12-22
4.3
None Remote Medium Not required None Partial None
Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open - every client is allowed. This allows evil.com to run scripts that perform AJAX calls to known Open Zaak installations, and the browser will not block these. This was intended to only apply to development machines running on localhost/127.0.0.1. Open Zaak 1.3.3 disables CORS by default, while it can be opted-in through environment variables. The vulnerability does not actually seem exploitable because: a) The session cookie has a `Same-Site: Lax` policy which prevents it from being sent along in Cross-Origin requests. b) All pages that give access to (production) data are login-protected c) `Access-Control-Allow-Credentials` is set to `false` d) CSRF checks probably block the remote origin, since they're not explicitly added to the trusted allowlist.
28 CVE-2020-26033 352 CSRF 2020-12-28 2020-12-29
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
29 CVE-2020-25986 352 CSRF 2020-10-06 2020-10-14
4.3
None Remote Medium Not required None Partial None
A Cross Site Request Forgery (CSRF) vulnerability in MonoCMS Blog 1.0 allows attackers to change the password of a user.
30 CVE-2020-25622 352 CSRF 2020-12-16 2020-12-17
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF.
31 CVE-2020-25472 352 CSRF 2020-11-24 2020-11-27
4.3
None Remote Medium Not required None Partial None
SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Request Forgery (CSRF) vulnerability, which allows attackers to add new users.
32 CVE-2020-25453 352 Exec Code Bypass CSRF 2020-09-15 2020-09-21
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in BlackCat CMS v.1.3.6. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
33 CVE-2020-25263 352 CSRF 2020-10-08 2020-10-19
5.8
None Remote Medium Not required None Partial Partial
PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.
34 CVE-2020-25262 352 CSRF 2020-10-08 2020-10-16
4.3
None Remote Medium Not required None Partial None
PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted.
35 CVE-2020-25252 352 CSRF 2020-09-11 2020-11-09
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).
36 CVE-2020-25142 352 CSRF 2020-09-25 2020-09-29
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests, such as for adding Device Settings via the /addsrv URI.
37 CVE-2020-25095 352 Exec Code CSRF 2020-12-17 2020-12-21
6.8
None Remote Medium Not required Partial Partial Partial
LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution.
38 CVE-2020-25070 352 CSRF 2020-09-01 2020-09-04
6.8
None Remote Medium Not required Partial Partial Partial
USVN (aka User-friendly SVN) before 1.0.10 allows CSRF, related to the lack of the SameSite Strict feature.
39 CVE-2020-25015 352 CSRF 2020-09-16 2020-11-09
4.3
None Remote Medium Not required None Partial None
A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.
40 CVE-2020-24847 352 CSRF 2020-10-23 2020-10-27
4.3
None Remote Medium Not required None Partial None
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase.
41 CVE-2020-24739 352 CSRF 2020-09-10 2020-09-16
4.3
None Remote Medium Not required None Partial None
A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted.
42 CVE-2020-24570 352 CSRF 2020-09-30 2021-07-21
4.3
None Remote Medium Not required Partial None None
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link.
43 CVE-2020-24373 352 CSRF 2020-09-16 2020-11-13
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
44 CVE-2020-23837 352 CSRF 2020-09-25 2020-10-08
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL.
45 CVE-2020-23836 352 CSRF 2020-09-01 2020-09-08
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery (CSRF) vulnerability in edit_user.php in OSWAPP Warehouse Inventory System (aka OSWA-INV) through 2020-08-10 allows remote attackers to change the admin's password after an authenticated admin visits a third-party site.
46 CVE-2020-23830 352 CSRF 2020-09-02 2020-09-10
5.8
None Remote Medium Not required None Partial Partial
A Cross-Site Request Forgery (CSRF) vulnerability in changeUsername.php in SourceCodester Stock Management System v1.0 allows remote attackers to deny future logins by changing an authenticated victim's username when they visit a third-party site.
47 CVE-2020-23824 352 Exec Code CSRF 2020-09-11 2020-09-18
6.8
None Remote Medium Not required Partial Partial Partial
ArGo Soft Mail Server 1.8.8.9 is affected by Cross Site Request Forgery (CSRF) for perform remote arbitrary code execution. The component is the Administration dashboard. When using admin/user credentials, if the admin/user admin opens a website with the malicious page that will run the CSRF.
48 CVE-2020-23451 352 CSRF 2020-09-15 2020-09-18
6.8
None Remote Medium Not required Partial Partial Partial
Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function.
49 CVE-2020-22273 352 CSRF 2020-11-04 2020-11-13
4.3
None Remote Medium Not required None Partial None
Neoflex Video Subscription System Version 2.0 is affected by CSRF which allows the Website's Settings to be changed (such as Payment Settings)
50 CVE-2020-19889 352 CSRF 2020-08-24 2020-08-26
6.8
None Remote Medium Not required Partial Partial Partial
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for index.php?dbhcms_pid=-70 can add a user.
Total number of vulnerabilities : 402   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.