CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 105 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-32732 | Hig | 0.42 | 7.5 | 0.01 | Feb 4, 2022 | ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to… | ||
| CVE-2021-20842 | Med | 0.42 | 6.5 | 0.01 | Nov 24, 2021 | Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page. | ||
| CVE-2021-22051 | — | Med | 0.42 | 6.5 | 0.01 | Nov 8, 2021 | Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to… | |
| CVE-2021-39864 | Med | 0.42 | 6.5 | 0.02 | Oct 15, 2021 | Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an… | ||
| CVE-2021-31604 | — | Med | 0.42 | 6.5 | 0.01 | Sep 27, 2021 | furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client. | |
| CVE-2021-26296 | Hig | 0.42 | 7.5 | 0.03 | Feb 19, 2021 | In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although… | ||
| CVE-2020-2295 | Med | 0.42 | 6.5 | 0.01 | Oct 8, 2020 | A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin. | ||
| CVE-2020-13157 | — | Med | 0.42 | 6.5 | 0.01 | Jun 23, 2020 | modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed. | |
| CVE-2020-13156 | — | Med | 0.42 | 6.5 | 0.01 | Jun 23, 2020 | modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI. | |
| CVE-2020-8167 | — | Med | 0.42 | 6.5 | 0.01 | Jun 19, 2020 | A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. | |
| CVE-2020-13868 | — | Med | 0.42 | 6.5 | 0.00 | Jun 5, 2020 | An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity. | |
| CVE-2019-13376 | — | Med | 0.42 | 6.5 | 0.01 | Sep 27, 2019 | phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS | |
| CVE-2019-10353 | Hig | 0.42 | 7.5 | 0.01 | Jul 17, 2019 | CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection. | ||
| CVE-2019-10292 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-10289 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-10278 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003090 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003086 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003082 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003080 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server. |
- risk 0.42cvss 7.5epss 0.01
### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to…
- risk 0.42cvss 6.5epss 0.01
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.
- risk 0.42cvss 6.5epss 0.01
Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to…
- risk 0.42cvss 6.5epss 0.02
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an…
- risk 0.42cvss 6.5epss 0.01
furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.
- risk 0.42cvss 7.5epss 0.03
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although…
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin.
- risk 0.42cvss 6.5epss 0.01
modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.
- risk 0.42cvss 6.5epss 0.01
modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a user account via the admin/index.php?nv=users&op=user_add URI.
- risk 0.42cvss 6.5epss 0.01
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.
- risk 0.42cvss 6.5epss 0.01
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
- risk 0.42cvss 7.5epss 0.01
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server.