CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 108 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2965 | Med | 0.42 | 6.5 | 0.01 | Aug 29, 2017 | IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846. | ||
| CVE-2016-0356 | Med | 0.42 | 6.5 | 0.01 | Aug 29, 2017 | IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111895. | ||
| CVE-2016-0355 | Med | 0.42 | 6.5 | 0.01 | Aug 29, 2017 | IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894. | ||
| CVE-2017-8875 | Med | 0.42 | 6.5 | 0.01 | May 10, 2017 | CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL. | ||
| CVE-2017-8848 | Med | 0.42 | 6.5 | 0.00 | May 8, 2017 | Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password. | ||
| CVE-2017-8100 | Med | 0.42 | 6.5 | 0.01 | Apr 24, 2017 | There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings. | ||
| CVE-2017-8098 | Med | 0.42 | 6.5 | 0.01 | Apr 24, 2017 | e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker. | ||
| CVE-2017-8082 | Med | 0.42 | 6.5 | 0.01 | Apr 24, 2017 | concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results… | ||
| CVE-2017-3877 | Med | 0.42 | 6.5 | 0.01 | Mar 17, 2017 | A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information:… | ||
| CVE-2016-6454 | Med | 0.42 | 6.5 | 0.01 | Nov 3, 2016 | A cross-site request forgery (CSRF) vulnerability in the web interface of the Cisco Hosted Collaboration Mediation Fulfillment application could allow an unauthenticated, remote attacker to execute unwanted actions. More Information: CSCva54241. Known Affected Releases: 11.5(1).… | ||
| CVE-2009-3022 | Med | 0.42 | 6.5 | 0.01 | Aug 31, 2009 | Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content via unspecified vectors. | ||
| CVE-2005-2059 | Med | 0.42 | 6.5 | 0.01 | Jun 29, 2005 | Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag. | ||
| CVE-2026-39170 | Med | 0.41 | 6.3 | 0.00 | Jun 9, 2026 | SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php. | ||
| CVE-2026-30498 | Med | 0.41 | 6.3 | 0.00 | May 27, 2026 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0. | ||
| CVE-2026-31014 | Med | 0.41 | 6.3 | 0.00 | Apr 21, 2026 | Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and… | ||
| CVE-2025-54390 | Med | 0.41 | 6.3 | 0.00 | Sep 17, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated user into visiting a malicious… | ||
| CVE-2025-30981 | Med | 0.41 | 6.3 | 0.00 | Jun 6, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in tggfref WP-Recall allows Privilege Escalation. This issue affects WP-Recall: from n/a through 16.26.14. | ||
| CVE-2025-46743 | — | Med | 0.41 | 6.3 | 0.00 | May 12, 2025 | An authenticated user's token could be used by another source after the user had logged out prior to the token expiring. | |
| CVE-2024-28141 | Med | 0.41 | 6.3 | 0.00 | Dec 11, 2024 | The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious… | ||
| CVE-2024-52392 | Med | 0.41 | 6.3 | 0.00 | Nov 19, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp.This issue affects W3SPEEDSTER: from n/a through <= 7.25. |
- risk 0.42cvss 6.5epss 0.01
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846.
- risk 0.42cvss 6.5epss 0.01
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111895.
- risk 0.42cvss 6.5epss 0.01
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894.
- risk 0.42cvss 6.5epss 0.01
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL.
- risk 0.42cvss 6.5epss 0.00
Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.
- risk 0.42cvss 6.5epss 0.01
There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings.
- risk 0.42cvss 6.5epss 0.01
e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.
- risk 0.42cvss 6.5epss 0.01
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results…
- risk 0.42cvss 6.5epss 0.01
A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information:…
- risk 0.42cvss 6.5epss 0.01
A cross-site request forgery (CSRF) vulnerability in the web interface of the Cisco Hosted Collaboration Mediation Fulfillment application could allow an unauthenticated, remote attacker to execute unwanted actions. More Information: CSCva54241. Known Affected Releases: 11.5(1).…
- risk 0.42cvss 6.5epss 0.01
Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content via unspecified vectors.
- risk 0.42cvss 6.5epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag.
- risk 0.41cvss 6.3epss 0.00
SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php.
- risk 0.41cvss 6.3epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0.
- risk 0.41cvss 6.3epss 0.00
Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and…
- risk 0.41cvss 6.3epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated user into visiting a malicious…
- risk 0.41cvss 6.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in tggfref WP-Recall allows Privilege Escalation. This issue affects WP-Recall: from n/a through 16.26.14.
- risk 0.41cvss 6.3epss 0.00
An authenticated user's token could be used by another source after the user had logged out prior to the token expiring.
- risk 0.41cvss 6.3epss 0.00
The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious…
- risk 0.41cvss 6.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp.This issue affects W3SPEEDSTER: from n/a through <= 7.25.