| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface. |
| Nagios Log Server 2.1.3 has CSRF. |
| Inappropriate implementation in Content Security Policy in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
| Inappropriate implementation in WebView in Google Chrome on Android prior to 84.0.4147.105 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
| Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page. |
| Insufficient policy enforcement in notifications in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass notification restrictions via a crafted HTML page. |
| Inappropriate implementation in accessibility in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
| Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page. |
| SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site. |
| SAP Cloud Platform Integration for Data Services, version 1.0, allows user inputs to be reflected as error or warning massages. This could mislead the victim to follow malicious instructions inserted by external attackers, leading to Cross Site Request Forgery. |
| A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo. |
| In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, BIG-IP ASM Configuration utility CSRF protection token can be reused multiple times. |
| In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, iControl REST does not implement Cross Site Request Forgery protections for users which make use of Basic Authentication in a web browser. |
| In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, exists in an undisclosed page. |
| In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. |
| inSync Client installer for macOS versions v6.8.0 and prior could allow an attacker to gain privileges of a root user from a lower privileged user due to improper integrity checks and directory permissions. |
| Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. |
| Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. |
| In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms. |
