Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2019-15150: Enforce/verify state parameter of callback · Schine/MW-OAuth2Client@6a4fe45

In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.

CVE
#csrf#vulnerability#oauth#auth
CVE-2019-10199: 1729261 – (CVE-2019-10199) CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

CVE-2019-14683: Import and export users and customers

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

CVE-2019-1958: Cisco Security Advisory: Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.

CVE-2019-10371: Jenkins Security Advisory 2019-08-07

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.