Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2020-7991: adive-php7/README.md at master · schspain/adive-php7

Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.

CVE
#sql#csrf#web#php
CVE-2020-5397: CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux | Security

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

CVE-2019-19142: Hack ‘N’ Routers - Vulnerabilidades comuns em roteadores domésticos - [PT-BR]

Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.

CVE-2020-2096: Jenkins Security Advisory 2020-01-15

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

CVE-2020-2094: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

CVE-2020-2091: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

CVE-2019-12273

** DISPUTED ** OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. NOTE: The product is self-hosted by the customer, even though it has a *.outsystemsenterprise.com domain name.) NOTE: The vendor claims that the independent researcher created the report without any type of validation and that no such vulnerability exists.

CVE-2019-19833: Comparing v2.1.9...v2.1.10-beta · Tautulli/Tautulli

In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).

CVE-2019-16563: Jenkins Security Advisory 2019-12-17

Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.

CVE-2019-16562: Jenkins Security Advisory 2019-12-17

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.