VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 106 of 286
  • CVE-2019-1003078MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003076MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003058MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003022MedFeb 6, 2019
    risk 0.42cvss 6.5epss 0.01

    A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.

  • CVE-2018-19621MedNov 28, 2018
    risk 0.42cvss 6.5epss 0.00

    server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team.

  • CVE-2018-2474MedOct 9, 2018
    risk 0.42cvss 6.5epss 0.01

    SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection.

  • CVE-2018-15401MedOct 5, 2018
    risk 0.42cvss 6.5epss 0.01

    A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability…

  • CVE-2017-15608MedSep 26, 2018
    risk 0.42cvss 6.5epss 0.00

    Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change advanced settings.

  • CVE-2018-13398MedSep 18, 2018
    risk 0.42cvss 6.5epss 0.01

    The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2018-17070MedSep 15, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay.

  • CVE-2018-17069MedSep 15, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay.

  • CVE-2018-16832MedSep 11, 2018
    risk 0.42cvss 6.5epss 0.01

    CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header.

  • CVE-2018-16458MedSep 4, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in baigo CMS v2.1.1. There is an index.php?m=article&c=request CSRF that can cause publication of any article.

  • CVE-2018-16449MedSep 4, 2018
    risk 0.42cvss 6.5epss 0.01

    OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Channel/add.html, adding a blog via admin.php?s=/Article/update.html, and setting the audit state via admin.php?s=/Article/setStatus/status/1.html.

  • CVE-2018-16337MedSep 2, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save.

  • CVE-2018-16315MedSep 1, 2018
    risk 0.42cvss 6.5epss 0.00

    In waimai Super Cms 20150505, there is a CSRF vulnerability that can change the configuration via admin.php?m=Config&a=add.

  • CVE-2018-15569MedAug 20, 2018
    risk 0.42cvss 6.5epss 0.00

    my little forum 2.4.12 allows CSRF for deletion of users.

  • CVE-2018-13394MedAug 15, 2018
    risk 0.42cvss 6.5epss 0.01

    The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery…

  • CVE-2018-13393MedAug 15, 2018
    risk 0.42cvss 6.5epss 0.01

    The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request…

  • CVE-2018-15203MedAug 8, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Ignited CMS through 2017-02-19. ign/index.php/admin/pages/add_page allows a CSRF attack to add pages.