POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.
A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
An attacker can delete the content of wysiwyg directory within the context of authenticated administrator's session via Cross-Site Request Forgery (CSRF).
An attacker can delete all synonyms groups within the context of an authenticated administrator's session through Cross-Site Request Forgery (CSRF).
An attacker can delete the site map within the context of an authenticated administrator's session through Cross-Site Request Forgery (CSRF).
An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery.
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.
Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.