CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 106 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-1003078 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003076 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003058 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003022 | Med | 0.42 | 6.5 | 0.01 | Feb 6, 2019 | A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master. | ||
| CVE-2018-19621 | — | Med | 0.42 | 6.5 | 0.00 | Nov 28, 2018 | server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team. | |
| CVE-2018-2474 | Med | 0.42 | 6.5 | 0.01 | Oct 9, 2018 | SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection. | ||
| CVE-2018-15401 | Med | 0.42 | 6.5 | 0.01 | Oct 5, 2018 | A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability… | ||
| CVE-2017-15608 | Med | 0.42 | 6.5 | 0.00 | Sep 26, 2018 | Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change advanced settings. | ||
| CVE-2018-13398 | Med | 0.42 | 6.5 | 0.01 | Sep 18, 2018 | The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability. | ||
| CVE-2018-17070 | Med | 0.42 | 6.5 | 0.01 | Sep 15, 2018 | An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay. | ||
| CVE-2018-17069 | Med | 0.42 | 6.5 | 0.01 | Sep 15, 2018 | An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay. | ||
| CVE-2018-16832 | Med | 0.42 | 6.5 | 0.01 | Sep 11, 2018 | CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header. | ||
| CVE-2018-16458 | Med | 0.42 | 6.5 | 0.00 | Sep 4, 2018 | An issue was discovered in baigo CMS v2.1.1. There is an index.php?m=article&c=request CSRF that can cause publication of any article. | ||
| CVE-2018-16449 | Med | 0.42 | 6.5 | 0.01 | Sep 4, 2018 | OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Channel/add.html, adding a blog via admin.php?s=/Article/update.html, and setting the audit state via admin.php?s=/Article/setStatus/status/1.html. | ||
| CVE-2018-16337 | Med | 0.42 | 6.5 | 0.00 | Sep 2, 2018 | An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save. | ||
| CVE-2018-16315 | Med | 0.42 | 6.5 | 0.00 | Sep 1, 2018 | In waimai Super Cms 20150505, there is a CSRF vulnerability that can change the configuration via admin.php?m=Config&a=add. | ||
| CVE-2018-15569 | Med | 0.42 | 6.5 | 0.00 | Aug 20, 2018 | my little forum 2.4.12 allows CSRF for deletion of users. | ||
| CVE-2018-13394 | Med | 0.42 | 6.5 | 0.01 | Aug 15, 2018 | The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery… | ||
| CVE-2018-13393 | Med | 0.42 | 6.5 | 0.01 | Aug 15, 2018 | The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request… | ||
| CVE-2018-15203 | Med | 0.42 | 6.5 | 0.00 | Aug 8, 2018 | An issue was discovered in Ignited CMS through 2017-02-19. ign/index.php/admin/pages/add_page allows a CSRF attack to add pages. |
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.
- risk 0.42cvss 6.5epss 0.00
server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team.
- risk 0.42cvss 6.5epss 0.01
SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection.
- risk 0.42cvss 6.5epss 0.01
A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability…
- risk 0.42cvss 6.5epss 0.00
Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change advanced settings.
- risk 0.42cvss 6.5epss 0.01
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay.
- risk 0.42cvss 6.5epss 0.01
CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header.
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in baigo CMS v2.1.1. There is an index.php?m=article&c=request CSRF that can cause publication of any article.
- risk 0.42cvss 6.5epss 0.01
OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Channel/add.html, adding a blog via admin.php?s=/Article/update.html, and setting the audit state via admin.php?s=/Article/setStatus/status/1.html.
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save.
- risk 0.42cvss 6.5epss 0.00
In waimai Super Cms 20150505, there is a CSRF vulnerability that can change the configuration via admin.php?m=Config&a=add.
- risk 0.42cvss 6.5epss 0.00
my little forum 2.4.12 allows CSRF for deletion of users.
- risk 0.42cvss 6.5epss 0.01
The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery…
- risk 0.42cvss 6.5epss 0.01
The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request…
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in Ignited CMS through 2017-02-19. ign/index.php/admin/pages/add_page allows a CSRF attack to add pages.