VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 107 of 286
  • CVE-2018-1999027HigAug 1, 2018
    risk 0.42cvss 7.5epss 0.01

    An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.

  • CVE-2018-10232MedJul 11, 2018
    risk 0.42cvss 6.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified vectors.

  • CVE-2018-12971MedJun 29, 2018
    risk 0.42cvss 6.5epss 0.00

    EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.

  • CVE-2018-1000507MedJun 26, 2018
    risk 0.42cvss 6.5epss 0.00

    WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been…

  • CVE-2018-1000505MedJun 26, 2018
    risk 0.42cvss 6.5epss 0.01

    Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been…

  • CVE-2018-12583MedJun 19, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php.

  • CVE-2018-11680MedJun 2, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate.

  • CVE-2018-11633MedMay 31, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function…

  • CVE-2018-11632MedMay 31, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the…

  • CVE-2018-11096MedMay 21, 2018
    risk 0.42cvss 6.5epss 0.01

    Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.

  • CVE-2018-11127MedMay 15, 2018
    risk 0.42cvss 6.5epss 0.01

    e107 2.1.7 has CSRF resulting in arbitrary user deletion.

  • CVE-2018-11003MedMay 12, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.

  • CVE-2018-10758MedMay 5, 2018
    risk 0.42cvss 6.5epss 0.00

    The edit/ URI in Datenstrom Yellow 0.7.3 has CSRF via a delete action that can delete articles.

  • CVE-2018-10248MedApr 20, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete.

  • CVE-2014-2675MedMar 19, 2018
    risk 0.42cvss 6.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in…

  • CVE-2017-18033MedJan 18, 2018
    risk 0.42cvss 6.5epss 0.01

    The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.

  • CVE-2018-0785MedJan 10, 2018
    risk 0.42cvss 6.5epss 0.03

    ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability".

  • CVE-2018-5301MedJan 8, 2018
    risk 0.42cvss 6.5epss 0.00

    Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.

  • CVE-2017-1000224MedNov 17, 2017
    risk 0.42cvss 6.5epss 0.01

    CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin

  • CVE-2017-1000085MedOct 5, 2017
    risk 0.42cvss 6.5epss 0.01

    Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web…