python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection
Max CVSS
6.1
Published
2017-09-14
Updated
2022-12-21
EPSS
0.07%
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification
Max CVSS
8.8
Published
2017-11-01
Updated
2019-05-22
EPSS
0.08%
CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin
Max CVSS
6.5
Published
2017-11-17
Updated
2017-12-03
EPSS
0.08%
Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account.
Max CVSS
6.8
Published
2017-11-03
Updated
2017-11-15
EPSS
0.08%
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.
Max CVSS
8.8
Published
2017-10-05
Updated
2017-10-17
EPSS
0.07%
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.
Max CVSS
7.5
Published
2017-10-05
Updated
2017-10-17
EPSS
0.08%
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.
Max CVSS
6.8
Published
2017-10-05
Updated
2017-10-17
EPSS
0.05%
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.
Max CVSS
8.8
Published
2017-10-05
Updated
2017-11-02
EPSS
0.07%
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
Max CVSS
8.0
Published
2017-10-05
Updated
2020-08-24
EPSS
0.10%
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
Max CVSS
6.5
Published
2017-10-05
Updated
2017-11-02
EPSS
0.06%
CSRF in Bitly oauth2_proxy 2.1 during authentication flow
Max CVSS
8.8
Published
2017-07-17
Updated
2017-07-20
EPSS
0.07%
Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user settings function allowing attackers to hijack the authentication of logged in users to modify account information, including their password.
Max CVSS
8.8
Published
2017-07-17
Updated
2017-08-07
EPSS
0.07%
Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.
Max CVSS
8.8
Published
2017-12-30
Updated
2018-01-09
EPSS
0.11%
PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.
Max CVSS
6.8
Published
2017-12-30
Updated
2018-01-09
EPSS
0.08%
PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.
Max CVSS
8.8
Published
2017-12-28
Updated
2018-04-12
EPSS
0.11%
PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php.
Max CVSS
8.8
Published
2017-12-28
Updated
2018-01-09
EPSS
0.11%
Vanguard Marketplace Digital Products PHP has CSRF via /search.
Max CVSS
8.8
Published
2017-12-28
Updated
2018-01-10
EPSS
0.11%
PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.
Max CVSS
8.8
Published
2017-12-27
Updated
2018-01-10
EPSS
0.11%
PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general.
Max CVSS
8.8
Published
2017-12-27
Updated
2018-01-10
EPSS
0.11%
PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php.
Max CVSS
8.8
Published
2017-12-27
Updated
2018-01-10
EPSS
0.11%
FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel.
Max CVSS
8.8
Published
2017-12-27
Updated
2018-01-09
EPSS
0.11%
Readymade Job Site Script has CSRF via the /job URI.
Max CVSS
8.8
Published
2017-12-27
Updated
2018-01-09
EPSS
0.11%
Readymade Video Sharing Script has CSRF via user-profile-edit.php.
Max CVSS
8.8
Published
2017-12-27
Updated
2018-01-09
EPSS
0.11%
Bus Booking Script has CSRF via admin/new_master.php.
Max CVSS
6.8
Published
2017-12-21
Updated
2018-01-03
EPSS
0.08%
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
Max CVSS
8.8
Published
2017-12-21
Updated
2018-01-03
EPSS
0.18%
334 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!