Total
6084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36755 | 1 Presscustomizr | 1 Customizr | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0. This is due to missing or incorrect nonce validation on the czr_fn_post_fields_save() function. This makes it possible for unauthenticated attackers to post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36754 | 1 Strangerstudios | 1 Paid Memberships Pro | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2. This is due to missing or incorrect nonce validation on the pmpro_page_save() function. This makes it possible for unauthenticated attackers to save pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36753 | 1 Presscustomizr | 1 Hueman | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Hueman theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation on the save_meta_box() function. This makes it possible for unauthenticated attackers to save metabox data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36751 | 1 Jesseeproductions | 1 Coupon Creator | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Coupon Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on the save_meta() function. This makes it possible for unauthenticated attackers to save meta fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36750 | 1 Ewww | 1 Image Optimizer | 2024-11-21 | N/A | 4.3 MEDIUM |
| The EWWW Image Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.1. This is due to missing or incorrect nonce validation on the ewww_ngg_bulk_init() function. This makes it possible for unauthenticated attackers to perform bulk image optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36740 | 1 Radio Buttons For Taxonomies Project | 1 Radio Buttons For Taxonomies | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Radio Buttons for Taxonomies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the save_single_term() function. This makes it possible for unauthenticated attackers to save terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36717 | 1 Kaliforms | 1 Kali Forms | 2024-11-21 | N/A | 8.8 HIGH |
| The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administrative functions via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36707 | 1 Wpconcern | 1 Nifty Coming Soon \& Maintenance Mode Page | 2024-11-21 | N/A | 8.8 HIGH |
| The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to confusing logic functions missing or having incorrect nonce validation. This makes it possible for unauthenticated attackers to gain and perform otherwise unauthorized access and actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36633 | 1 Moodle-block Sitenews Project | 1 Moodle-block Sitenews | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability was found in moodle-block_sitenews 1.0. It has been classified as problematic. This affects the function get_content of the file block_sitenews.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 1.1 is able to address this issue. The name of the patch is cd18d8b1afe464ae6626832496f4e070bac4c58f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216879. | |||||
| CVE-2020-36625 | 1 Destiny | 1 Chat | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-36623 | 1 Pengu Project | 1 Pengu | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475. | |||||
| CVE-2020-36622 | 1 Bienlein Project | 1 Bienlein | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is d7836a4f2b241e4745ede194f0f6fb47199cab6b. It is recommended to apply a patch to fix this issue. The identifier VDB-216473 was assigned to this vulnerability. | |||||
| CVE-2020-36534 | 1 Easyiicms | 1 Easyiicms | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in easyii CMS. It has been classified as problematic. Affected is an unknown function of the file /admin/sign/out. The manipulation leads to cross site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2020-36505 | 1 Delete All Comments Easily Project | 1 Delete All Comments Easily | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Delete All Comments Easily WordPress plugin through 1.3 is lacking Cross-Site Request Forgery (CSRF) checks, which could result in an unauthenticated attacker making a logged in admin delete all comments from the blog. | |||||
| CVE-2020-36504 | 1 Wp-pro-quiz Project | 1 Wp-pro-quiz | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check in place when deleting a quiz, which could allow an attacker to make a logged in admin delete arbitrary quiz on the blog | |||||
| CVE-2020-36389 | 1 Civicrm | 1 Civicrm | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF. | |||||
| CVE-2020-36334 | 1 Themegrill | 1 Themegrill Demo Importer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| themegrill-demo-importer before 1.6.3 allows CSRF, as demonstrated by wiping the database. | |||||
| CVE-2020-36283 | 1 Hidglobal | 4 Omnikey 5127, Omnikey 5127 Firmware, Omnikey 5427 and 1 more | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. | |||||
| CVE-2020-36247 | 1 Osc | 1 Open Ondemand | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Open OnDemand before 1.5.7 and 1.6.x before 1.6.22 allows CSRF. | |||||
| CVE-2020-36191 | 1 Jupyter | 1 Jupyterhub | 2024-11-21 | 3.5 LOW | 4.5 MEDIUM |
| JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account). | |||||