VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 105 of 286
  • CVE-2021-32732HigFeb 4, 2022
    risk 0.42cvss 7.5epss 0.01

    ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to…

  • CVE-2021-20842MedNov 24, 2021
    risk 0.42cvss 6.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.

  • CVE-2021-22051MedNov 8, 2021
    risk 0.42cvss 6.5epss 0.01

    Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to…

  • CVE-2021-39864MedOct 15, 2021
    risk 0.42cvss 6.5epss 0.02

    Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an…

  • CVE-2021-31604MedSep 27, 2021
    risk 0.42cvss 6.5epss 0.01

    furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.

  • CVE-2021-26296HigFeb 19, 2021
    risk 0.42cvss 7.5epss 0.03

    In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although…

  • CVE-2020-2295MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin.

  • CVE-2020-13157MedJun 23, 2020
    risk 0.42cvss 6.5epss 0.01

    modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.

  • CVE-2020-13156MedJun 23, 2020
    risk 0.42cvss 6.5epss 0.01

    modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.

  • CVE-2020-8167MedJun 19, 2020
    risk 0.42cvss 6.5epss 0.01

    A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

  • CVE-2020-13868MedJun 5, 2020
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.

  • CVE-2019-13376MedSep 27, 2019
    risk 0.42cvss 6.5epss 0.01

    phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

  • CVE-2019-10353HigJul 17, 2019
    risk 0.42cvss 7.5epss 0.01

    CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.

  • CVE-2019-10292MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-10289MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-10278MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003090MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003086MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003082MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003080MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.