VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 108 of 286
  • CVE-2016-2965MedAug 29, 2017
    risk 0.42cvss 6.5epss 0.01

    IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846.

  • CVE-2016-0356MedAug 29, 2017
    risk 0.42cvss 6.5epss 0.01

    IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111895.

  • CVE-2016-0355MedAug 29, 2017
    risk 0.42cvss 6.5epss 0.01

    IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894.

  • CVE-2017-8875MedMay 10, 2017
    risk 0.42cvss 6.5epss 0.01

    CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL.

  • CVE-2017-8848MedMay 8, 2017
    risk 0.42cvss 6.5epss 0.00

    Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.

  • CVE-2017-8100MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings.

  • CVE-2017-8098MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.

  • CVE-2017-8082MedApr 24, 2017
    risk 0.42cvss 6.5epss 0.01

    concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results…

  • CVE-2017-3877MedMar 17, 2017
    risk 0.42cvss 6.5epss 0.01

    A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information:…

  • CVE-2016-6454MedNov 3, 2016
    risk 0.42cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in the web interface of the Cisco Hosted Collaboration Mediation Fulfillment application could allow an unauthenticated, remote attacker to execute unwanted actions. More Information: CSCva54241. Known Affected Releases: 11.5(1).…

  • CVE-2009-3022MedAug 31, 2009
    risk 0.42cvss 6.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content via unspecified vectors.

  • CVE-2005-2059MedJun 29, 2005
    risk 0.42cvss 6.5epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag.

  • CVE-2026-39170MedJun 9, 2026
    risk 0.41cvss 6.3epss 0.00

    SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php.

  • CVE-2026-30498MedMay 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0.

  • CVE-2026-31014MedApr 21, 2026
    risk 0.41cvss 6.3epss 0.00

    Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and…

  • CVE-2025-54390MedSep 17, 2025
    risk 0.41cvss 6.3epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated user into visiting a malicious…

  • CVE-2025-30981MedJun 6, 2025
    risk 0.41cvss 6.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in tggfref WP-Recall allows Privilege Escalation. This issue affects WP-Recall: from n/a through 16.26.14.

  • CVE-2025-46743MedMay 12, 2025
    risk 0.41cvss 6.3epss 0.00

    An authenticated user's token could be used by another source after the user had logged out prior to the token expiring.

  • CVE-2024-28141MedDec 11, 2024
    risk 0.41cvss 6.3epss 0.00

    The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious…

  • CVE-2024-52392MedNov 19, 2024
    risk 0.41cvss 6.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp.This issue affects W3SPEEDSTER: from n/a through <= 7.25.