Tag: CSRF

ASA-2019-00432 – Mozilla Firefox and Thunderbird: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

Posted on by Allele Security Intelligence in Alerts

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

ASA-2019-00319 – phpMyAdmin: CSRF vulnerability in login form

Posted on by Allele Security Intelligence in Alerts

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.

ASA-2019-00105 – Jenkins: Monitoring Plugin did not apply Cross-Site Request Forgery (CSRF) protection even if enabled in Jenkins

Posted on by Allele Security Intelligence in Alerts

Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.

ASA-2019-00103 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Kanboard Plugin allowed Server-Side Request Forgery (SSRF)

Posted on by Allele Security Intelligence in Alerts

Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.