POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.
Tag: CSRF
ASA-2019-00319 – phpMyAdmin: CSRF vulnerability in login form
A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
ASA-2019-00202 – Magento: Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete wysiwyg directory
An attacker can delete the content of wysiwyg directory within the context of authenticated administrator's session via Cross-Site Request Forgery (CSRF).
ASA-2019-00191 – Magento: Deletion of synonym groups through a Cross-Site Request Forgery (CSRF) vulnerability
An attacker can delete all synonyms groups within the context of an authenticated administrator's session through Cross-Site Request Forgery (CSRF).
ASA-2019-00190 – Magento: Site map deletion through Cross-Site Request Forgery (CSRF)
An attacker can delete the site map within the context of an authenticated administrator's session through Cross-Site Request Forgery (CSRF).
ASA-2019-00189 – Magento: Deletion of a product attribute through Cross-Site Request Forgery (CSRF)
An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery.
ASA-2019-00105 – Jenkins: Monitoring Plugin did not apply Cross-Site Request Forgery (CSRF) protection even if enabled in Jenkins
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.
ASA-2019-00103 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Kanboard Plugin allowed Server-Side Request Forgery (SSRF)
Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.