Allele Security Intelligence - Cross-Site Request Forgery

ASA-2019-00611 – Jenkins Libvirt Slaves Plugin: Cross-Site Request Forgery (CSRF)

Posted on December 3, 2019December 6, 2019 by Allele Security Intelligence in Alerts

The form validation method does not require POST requests, resulting in a Cross-Site Request Forgery vulnerability (CSRF).

ASA-2019-00608 – Jenkins ElasticBox Kubernetes CI/CD Plugin: Cross-Site Request Forgery (CSRF)

Posted on November 4, 2019December 6, 2019 by Allele Security Intelligence in Alerts

The form validation method does not require POST requests, resulting in a CSRF vulnerability.

ASA-2019-00604 – Jenkins Deploy WebLogic Plugin: Cross-Site Request Forgery

Posted on November 4, 2019November 4, 2019 by Allele Security Intelligence in Alerts

The form validation method does not require POST requests, resulting in a CSRF vulnerability.

ASA-2019-00602 – Jenkins Dynatrace Application Monitoring Plugin: Cross-Site Request Forgery

Posted on November 4, 2019November 4, 2019 by Allele Security Intelligence in Alerts

Dynatrace Application Monitoring Plugin did not require POST requests on a method implementing form validation. This CSRF vulnerability allowed attackers to initiate a connection test to an attacker-specified server with attacker-specified username and password.

ASA-2019-00432 – Mozilla Firefox and Thunderbird: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

Posted on July 17, 2019July 23, 2019 by Allele Security Intelligence in Alerts

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

ASA-2019-00319 – phpMyAdmin: CSRF vulnerability in login form

Posted on June 7, 2019June 7, 2019 by Allele Security Intelligence in Alerts

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.

ASA-2019-00202 – Magento: Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete wysiwyg directory

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An attacker can delete the content of wysiwyg directory within the context of authenticated administrator's session via Cross-Site Request Forgery (CSRF).

ASA-2019-00191 – Magento: Deletion of synonym groups through a Cross-Site Request Forgery (CSRF) vulnerability

Posted on April 16, 2019June 20, 2019 by Allele Security Intelligence in Alerts

An attacker can delete all synonyms groups within the context of an authenticated administrator's session through Cross-Site Request Forgery (CSRF).