VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 15 of 286
  • CVE-2023-24447HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

  • CVE-2023-24446HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2023-24437HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2023-24434HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2023-24432HigJan 26, 2023
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-43719HigJan 16, 2023
    risk 0.57cvss 8.8epss 0.01

    Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

  • CVE-2023-0294HigJan 13, 2023
    risk 0.57cvss 8.8epss 0.00

    The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on its AJAX actions function. This makes it possible for unauthenticated…

  • CVE-2023-0088HigJan 5, 2023
    risk 0.57cvss 8.8epss 0.01

    The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it…

  • CVE-2022-3427HigDec 15, 2022
    risk 0.57cvss 8.8epss 0.01

    The Corner Ad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.56. This is due to missing or incorrect nonce validation on its corner_ad_settings_page function. This makes it possible for unauthenticated attackers to trigger…

  • CVE-2022-3898HigNov 29, 2022
    risk 0.57cvss 8.8epss 0.00

    The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for…

  • CVE-2022-3747HigNov 29, 2022
    risk 0.57cvss 8.8epss 0.01

    The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's…

  • CVE-2022-41925HigNov 23, 2022
    risk 0.57cvss 8.8epss 0.01

    A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled…

  • CVE-2022-4021HigNov 16, 2022
    risk 0.57cvss 8.8epss 0.00

    The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extra_actions function. This makes it possible for unauthenticated attackers to…

  • CVE-2022-3240HigNov 15, 2022
    risk 0.57cvss 8.8epss 0.01

    The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers…

  • CVE-2022-3852HigNov 3, 2022
    risk 0.57cvss 8.8epss 0.00

    The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify…

  • CVE-2022-3776HigNov 3, 2022
    risk 0.57cvss 8.8epss 0.00

    The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on several functions called via AJAX actions such as…

  • CVE-2022-41253HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-41249HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-41245HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored…

  • CVE-2022-41236HigSep 21, 2022
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on…