VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 13 of 286
  • CVE-2023-49372HigDec 5, 2023
    risk 0.57cvss 8.8epss 0.00

    JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/slide/save.

  • CVE-2023-49673HigNov 29, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

  • CVE-2023-49655HigNov 29, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.

  • CVE-2023-2497HigNov 22, 2023
    risk 0.57cvss 8.8epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP…

  • CVE-2023-2440HigNov 22, 2023
    risk 0.57cvss 8.8epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for…

  • CVE-2023-6196HigNov 20, 2023
    risk 0.57cvss 8.8epss 0.00

    The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for…

  • CVE-2022-2441HigOct 20, 2023
    risk 0.57cvss 8.8epss 0.01

    The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they…

  • CVE-2023-43500HigSep 20, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

  • CVE-2023-4916HigSep 13, 2023
    risk 0.57cvss 8.8epss 0.00

    The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function. This makes it possible for unauthenticated attackers to…

  • CVE-2023-40341HigAug 16, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

  • CVE-2023-40336HigAug 16, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.

  • CVE-2020-24922HigAug 11, 2023
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.

  • CVE-2023-4277HigAug 10, 2023
    risk 0.57cvss 8.8epss 0.00

    The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email…

  • CVE-2023-4276HigAug 10, 2023
    risk 0.57cvss 8.8epss 0.00

    The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abpr_profileShortcode' function. This makes it possible for unauthenticated attackers to change user email…

  • CVE-2023-38759HigAug 8, 2023
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/reset_user_password.html, templates/user/overview.html,…

  • CVE-2023-37650HigJul 20, 2023
    risk 0.57cvss 8.8epss 0.00

    A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

  • CVE-2023-37964HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-37962HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

  • CVE-2023-37961HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-37958HigJul 12, 2023
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers to connect to an attacker-specified URL.