VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 142 of 286
  • CVE-2026-44347MedMay 12, 2026
    risk 0.31cvss 5.8epss 0.00

    Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform…

  • CVE-2026-44695MedMay 11, 2026
    risk 0.31cvss 5.8epss 0.00

    Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client…

  • CVE-2025-48099MedOct 22, 2025
    risk 0.31cvss 4.7epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Code Amp Search & Filter search-filter allows Cross Site Request Forgery.This issue affects Search & Filter: from n/a through <= 1.2.17.

  • CVE-2024-56140MedDec 18, 2024
    risk 0.31cvss 5.9epss 0.00

    Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check.…

  • CVE-2021-27701MedNov 12, 2024
    risk 0.31cvss 4.7epss 0.00

    SOCIFI Socifi Guest wifi as SAAS is affected by Cross Site Request Forgery (CSRF) via the Socifi wifi portal. The application does not contain a CSRF token and request validation. An attacker can Add/Modify any random user data by sending a crafted CSRF request.

  • CVE-2024-48913MedOct 15, 2024
    risk 0.31cvss 5.9epss 0.00

    Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type…

  • CVE-2023-1604MedAug 17, 2024
    risk 0.31cvss 4.7epss 0.00

    The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page function. This makes it possible for unauthenticated attackers to add and import…

  • CVE-2024-7420MedAug 15, 2024
    risk 0.31cvss 5.8epss 0.00

    The Insert PHP Code Snippet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation in the /admin/snippets.php file. This makes it possible for unauthenticated attackers to…

  • CVE-2024-1501MedFeb 21, 2024
    risk 0.31cvss 4.7epss 0.00

    The Database Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.22. This is due to missing or incorrect nonce validation on the install_wpr() function. This makes it possible for unauthenticated attackers to install the…

  • CVE-2022-45079MedMay 22, 2023
    risk 0.31cvss 4.7epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Softaculous Loginizer plugin <= 1.7.5 versions.

  • CVE-2022-35943MedAug 12, 2022
    risk 0.31cvss 5.9epss 0.00

    Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html)…

  • CVE-2020-28482MedJan 19, 2021
    risk 0.31cvss 5.9epss 0.01

    This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter

  • CVE-2020-11003MedApr 14, 2020
    risk 0.31cvss 4.8epss 0.01

    Oasis before version 2.15.0 has a potential DNS rebinding or CSRF vulnerability. If you're running a vulnerable application on your computer and an attacker can trick you into visiting a malicious website, they could use DNS rebinding and CSRF attacks to read/write to vulnerable…

  • CVE-2017-16653MedAug 6, 2018
    risk 0.31cvss 5.9epss 0.01

    An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and…

  • CVE-2018-11448MedJun 26, 2018
    risk 0.31cvss 4.8epss 0.00

    A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a stored Cross-Site Scripting (XSS) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires that the attacker…

  • CVE-2016-8018MedMar 14, 2017
    risk 0.31cvss 4.3epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to execute unauthorized commands via a crafted user input.

  • CVE-2022-44630MedJun 11, 2026
    risk 0.30cvss 4.6epss 0.00

    Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This issue affects YITH WooCommerce Product Slider Carousel: from n/a through 1.16.0.

  • CVE-2025-64482MedNov 12, 2025
    risk 0.30cvss 4.6epss 0.00

    Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery…

  • CVE-2025-64117MedNov 12, 2025
    risk 0.30cvss 4.6epss 0.00

    Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don't have cross-site request forgery protection in…

  • CVE-2024-45161MedOct 29, 2025
    risk 0.30cvss 4.6epss 0.00

    A CSRF issue was discovered in the administrative web GUI in Blu-Castle BCUM221E 1.0.0P220507. This can be exploited via a URL, an image load, an XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.