RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
{ "cpe": "cpe:2.3:a:nopcommerce:nopcommerce:4.20:-:*:*:*:*:*:*", "source": "CPE_STRING", "extracted_events": [ { "introduced": "4.20-NA" }, { "last_affected": "4.20-NA" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19685.json"