VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 137 of 286
  • CVE-2018-7724MedMar 6, 2018
    risk 0.35cvss 5.4epss 0.00

    The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.

  • CVE-2018-0146MedFeb 22, 2018
    risk 0.35cvss 5.4epss 0.00

    A vulnerability in the Cisco Data Center Analytics Framework application could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to improper CSRF protection by the affected application.…

  • CVE-2017-6819MedMar 12, 2017
    risk 0.35cvss 6.5epss 0.02

    In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.

  • CVE-2015-5037MedJan 3, 2016
    risk 0.35cvss 5.4epss 0.00

    Cross-site request forgery (CSRF) vulnerability in IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5, and 5.0 before CR3 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

  • CVE-2016-20083MedJun 15, 2026
    risk 0.34cvss 5.3epss 0.00

    WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting…

  • CVE-2018-25435MedJun 1, 2026
    risk 0.34cvss 5.3epss 0.00

    ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting…

  • CVE-2018-25397MedMay 29, 2026
    risk 0.34cvss 5.3epss 0.00

    PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically…

  • CVE-2018-25387MedMay 29, 2026
    risk 0.34cvss 5.3epss 0.00

    HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like…

  • CVE-2026-49001MedMay 27, 2026
    risk 0.34cvss 5.3epss 0.00

    Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data.

  • CVE-2018-25336MedMay 17, 2026
    risk 0.34cvss 5.3epss 0.00

    jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate…

  • CVE-2018-25327MedMay 17, 2026
    risk 0.34cvss 5.3epss 0.00

    Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete…

  • CVE-2020-37241MedMay 16, 2026
    risk 0.34cvss 5.3epss 0.00

    bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new…

  • CVE-2021-47946MedMay 10, 2026
    risk 0.34cvss 5.3epss 0.00

    OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email…

  • CVE-2018-25298MedApr 29, 2026
    risk 0.34cvss 5.3epss 0.00

    Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login…

  • CVE-2026-6777MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2016-20053MedApr 4, 2026
    risk 0.34cvss 5.3epss 0.00

    Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint…

  • CVE-2016-20051MedApr 4, 2026
    risk 0.34cvss 5.3epss 0.00

    Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form…

  • CVE-2018-25177MedMar 6, 2026
    risk 0.34cvss 5.3epss 0.00

    Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. Attackers can send requests to dca_resetpw.php with parameters updateuser, pass, pass2,…

  • CVE-2018-25174MedMar 6, 2026
    risk 0.34cvss 5.3epss 0.00

    ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1,…

  • CVE-2020-37106MedFeb 7, 2026
    risk 0.34cvss 5.3epss 0.00

    Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation…