CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 107 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1999027 | — | Hig | 0.42 | 7.5 | 0.01 | Aug 1, 2018 | An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins. | |
| CVE-2018-10232 | Med | 0.42 | 6.5 | 0.01 | Jul 11, 2018 | Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified vectors. | ||
| CVE-2018-12971 | Med | 0.42 | 6.5 | 0.00 | Jun 29, 2018 | EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users. | ||
| CVE-2018-1000507 | Med | 0.42 | 6.5 | 0.00 | Jun 26, 2018 | WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been… | ||
| CVE-2018-1000505 | Med | 0.42 | 6.5 | 0.01 | Jun 26, 2018 | Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been… | ||
| CVE-2018-12583 | Med | 0.42 | 6.5 | 0.00 | Jun 19, 2018 | An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php. | ||
| CVE-2018-11680 | Med | 0.42 | 6.5 | 0.00 | Jun 2, 2018 | An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate. | ||
| CVE-2018-11633 | Med | 0.42 | 6.5 | 0.01 | May 31, 2018 | An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function… | ||
| CVE-2018-11632 | Med | 0.42 | 6.5 | 0.01 | May 31, 2018 | An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the… | ||
| CVE-2018-11096 | Med | 0.42 | 6.5 | 0.01 | May 21, 2018 | Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely. | ||
| CVE-2018-11127 | Med | 0.42 | 6.5 | 0.01 | May 15, 2018 | e107 2.1.7 has CSRF resulting in arbitrary user deletion. | ||
| CVE-2018-11003 | Med | 0.42 | 6.5 | 0.01 | May 12, 2018 | An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel. | ||
| CVE-2018-10758 | Med | 0.42 | 6.5 | 0.00 | May 5, 2018 | The edit/ URI in Datenstrom Yellow 0.7.3 has CSRF via a delete action that can delete articles. | ||
| CVE-2018-10248 | Med | 0.42 | 6.5 | 0.01 | Apr 20, 2018 | An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete. | ||
| CVE-2014-2675 | Med | 0.42 | 6.5 | 0.01 | Mar 19, 2018 | Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in… | ||
| CVE-2017-18033 | Med | 0.42 | 6.5 | 0.01 | Jan 18, 2018 | The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities. | ||
| CVE-2018-0785 | Med | 0.42 | 6.5 | 0.03 | Jan 10, 2018 | ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability". | ||
| CVE-2018-5301 | — | Med | 0.42 | 6.5 | 0.00 | Jan 8, 2018 | Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433. | |
| CVE-2017-1000224 | Med | 0.42 | 6.5 | 0.01 | Nov 17, 2017 | CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin | ||
| CVE-2017-1000085 | Med | 0.42 | 6.5 | 0.01 | Oct 5, 2017 | Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web… |
- risk 0.42cvss 7.5epss 0.01
An exposure of sensitive information vulnerability exists in Jenkins SaltStack Plugin 3.1.6 and earlier in SaltAPIBuilder.java, SaltAPIStep.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
- risk 0.42cvss 6.5epss 0.01
Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive information via unspecified vectors.
- risk 0.42cvss 6.5epss 0.00
EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.
- risk 0.42cvss 6.5epss 0.00
WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in allows anybody to modify user groups and types. This attack appear to be exploitable via Admin must click on link. This vulnerability appears to have been…
- risk 0.42cvss 6.5epss 0.01
Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forgery (CSRF) vulnerability in Settings page that can result in could allow anybody to duplicate posts. This attack appear to be exploitable via Admin must follow a link. This vulnerability appears to have been…
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php.
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulnerability in the rich text editor that can add an IFRAME element. This might be used in a DoS attack if a referenced remote URL is refreshed at a rapid rate.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function…
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the…
- risk 0.42cvss 6.5epss 0.01
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
- risk 0.42cvss 6.5epss 0.01
e107 2.1.7 has CSRF resulting in arbitrary user deletion.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.
- risk 0.42cvss 6.5epss 0.00
The edit/ URI in Datenstrom Yellow 0.7.3 has CSRF via a delete action that can delete articles.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete.
- risk 0.42cvss 6.5epss 0.01
Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in…
- risk 0.42cvss 6.5epss 0.01
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
- risk 0.42cvss 6.5epss 0.03
ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability".
- risk 0.42cvss 6.5epss 0.00
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
- risk 0.42cvss 6.5epss 0.01
CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin
- risk 0.42cvss 6.5epss 0.01
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web…