VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 19 of 286
  • CVE-2019-10386HigAug 7, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…

  • CVE-2019-10368HigAug 7, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using…

  • CVE-2019-1010054HigJul 18, 2019
    risk 0.57cvss 8.8epss 0.02

    Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack…

  • CVE-2019-13611HigJul 16, 2019
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.

  • CVE-2019-12466HigJul 10, 2019
    risk 0.57cvss 8.8epss 0.01

    Wikimedia MediaWiki through 1.32.1 allows CSRF.

  • CVE-2019-10338HigJun 11, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials.

  • CVE-2019-10315HigApr 30, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.

  • CVE-2019-10310HigApr 30, 2019
    risk 0.57cvss 8.8epss 0.02

    A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using…

  • CVE-2019-0229HigApr 10, 2019
    risk 0.57cvss 8.8epss 0.01

    A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.

  • CVE-2019-1003016HigFeb 6, 2019
    risk 0.57cvss 8.8epss 0.01

    An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java,…

  • CVE-2019-1003008HigFeb 6, 2019
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.

  • CVE-2018-19969HigDec 11, 2018
    risk 0.57cvss 8.8epss 0.01

    phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages,…

  • CVE-2018-18420HigOct 19, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability was discovered in the 8.3 version of Zenario Content Management System via the admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent URI.

  • CVE-2018-18201HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.00

    qibosoft V7.0 allows CSRF via admin/index.php?lfj=member&action=addmember to add a user account.

  • CVE-2018-17858HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend.

  • CVE-2018-18191HigOct 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member&m=edit&uid=1 in dayrui FineCms 5.4 allows remote attackers to change the administrator's password.

  • CVE-2018-0451HigOct 5, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient…

  • CVE-2018-0446HigOct 5, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Industrial Network Director could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to…

  • CVE-2018-0445HigOct 5, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Packaged Contact Center Enterprise could allow an unauthenticated, remote attacker to conduct a CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF…

  • CVE-2018-0439HigOct 5, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF…