Vulmon Recent Vulnerabilities Trends About Contact

csrf vulnerabilities and exploits

(subscribe to this query)

4.3
CVSSv2
CVE-2016-10535
csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead...
Csrf-lite ProjectCsrf-lite
4.3
CVSSv2
CVE-2010-3082
Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie....
DjangoprojectDjango
5.1
CVSSv2
CVE-2019-10353
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection....
Jenkins
5
CVSSv2
CVE-2014-0473
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users....
DjangoprojectDjangoCanonicalUbuntu Linux
6.8
CVSSv2
CVE-2012-1936
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on...
Wordpress
5
CVSSv2
CVE-2013-2086
The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file....
Owncloud
6.8
CVSSv2
CVE-2019-10384
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user....
Jenkins
4.3
CVSSv2
CVE-2019-13664
Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page....
GoogleChrome
6.8
CVSSv2
CVE-2018-8764
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging....
Ldap-account-managerLdap Account ManagerDebianDebian Linux
6.8
CVSSv2
CVE-2015-5318
Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack....
JenkinsRedhatOpenshift
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-15469CVE-2020-5902CVE-2020-14947cameraCVE-2020-2203NULL pointer dereferenceCVE-2020-6089logic flawprestashopCVE-2020-15523