ASA-2019-00432 – Mozilla Firefox and Thunderbird: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

ASA-2019-00319 – phpMyAdmin: CSRF vulnerability in login form

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.

ASA-2019-00105 – Jenkins: Monitoring Plugin did not apply Cross-Site Request Forgery (CSRF) protection even if enabled in Jenkins

Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.

ASA-2019-00103 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Kanboard Plugin allowed Server-Side Request Forgery (SSRF)

Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.