CVE-2017-1002150 CVSS:5.8
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection (Last Update:2017-09-21) (Publish Update:2017-09-14)
CVE-2017-1000244 CVSS:6.8
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification (Last Update:2017-11-18) (Publish Update:2017-11-01)
CVE-2017-1000224 CVSS:0.0
CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin (Last Update:2017-11-16) (Publish Update:2017-11-16)
CVE-2017-1000147 CVSS:6.0
Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account. (Last Update:2017-11-15) (Publish Update:2017-11-03)
CVE-2017-1000093 CVSS:6.8
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. (Last Update:2017-10-17) (Publish Update:2017-10-04)
CVE-2017-1000091 CVSS:6.8
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery. (Last Update:2017-10-17) (Publish Update:2017-10-04)
CVE-2017-1000090 CVSS:6.8
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins. (Last Update:2017-11-02) (Publish Update:2017-10-04)
CVE-2017-1000086 CVSS:6.0
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. (Last Update:2017-11-02) (Publish Update:2017-10-04)
CVE-2017-1000085 CVSS:4.3
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks. (Last Update:2017-11-02) (Publish Update:2017-10-04)
CVE-2017-1000069 CVSS:6.8
CSRF in Bitly oauth2_proxy 2.1 during authentication flow (Last Update:2017-07-20) (Publish Update:2017-07-17)
Click here for a complete list of security vulnerabilities. This vulnerability list widget is provided by www.cvedetails.com