Security Vulnerabilities, CVEs, Published In 2017 (CSRF)

python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection

Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification

CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin

Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account.

Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

CSRF in Bitly oauth2_proxy 2.1 during authentication flow

Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user settings function allowing attackers to hijack the authentication of logged in users to modify account information, including their password.

Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.

PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.

PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.

PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php.

Vanguard Marketplace Digital Products PHP has CSRF via /search.

PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.

PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general.

PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php.

FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel.

Readymade Job Site Script has CSRF via the /job URI.

Readymade Video Sharing Script has CSRF via user-profile-edit.php.

Bus Booking Script has CSRF via admin/new_master.php.

Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.