VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 136 of 286
  • CVE-2021-22512MedApr 8, 2021
    risk 0.35cvss 6.5epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks.

  • CVE-2020-12480MedAug 17, 2020
    risk 0.35cvss 6.5epss 0.01

    In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

  • CVE-2020-2192MedJun 3, 2020
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.

  • CVE-2019-7947MedAug 2, 2019
    risk 0.35cvss 6.5epss 0.00

    A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature for Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

  • CVE-2019-7874MedAug 2, 2019
    risk 0.35cvss 6.5epss 0.00

    A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of user roles.

  • CVE-2019-7851MedAug 2, 2019
    risk 0.35cvss 6.5epss 0.00

    A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages.

  • CVE-2019-10324MedMay 31, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform…

  • CVE-2019-10307MedApr 30, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users.

  • CVE-2019-10304MedApr 18, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003098MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003092MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003084MedApr 4, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003046MedMar 28, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.

  • CVE-2019-1003012MedFeb 6, 2019
    risk 0.35cvss 6.5epss 0.01

    A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js,…

  • CVE-2018-1000411MedJan 9, 2019
    risk 0.35cvss 6.5epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.

  • CVE-2018-18921MedDec 18, 2018
    risk 0.35cvss 6.5epss 0.01

    PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.

  • CVE-2016-7067MedSep 10, 2018
    risk 0.35cvss 6.5epss 0.01

    Monit before version 5.20.0 is vulnerable to a cross site request forgery attack. Successful exploitation will enable an attacker to disable/enable all monitoring for a particular host or disable/enable monitoring for a specific service.

  • CVE-2018-10806MedMay 8, 2018
    risk 0.35cvss 5.4epss 0.00

    An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross Site Scripting Vulnerability via the file[current_name] parameter to the admin/?/plugin/file_manager/rename URI. This can be used in conjunction with CSRF.

  • CVE-2018-10554MedApr 30, 2018
    risk 0.35cvss 5.4epss 0.03

    An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime.php, related to the update_pages…

  • CVE-2018-0216MedMar 8, 2018
    risk 0.35cvss 5.4epss 0.01

    A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to…