CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

CWE-345

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (4,552)

page 19 of 228

CVE	Sev	Risk	CVSS	Published	Description
CVE-2016-4884	Hig	0.57	8.8	May 12, 2017	Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4882	Hig	0.57	8.8	May 12, 2017	Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4881	Hig	0.57	8.8	May 12, 2017	Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4879	Hig	0.57	8.8	May 12, 2017	Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4878	Hig	0.57	8.8	May 12, 2017	Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4876	Hig	0.57	8.8	May 12, 2017	Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors.
CVE-2016-9092	Hig	0.57	8.8	May 11, 2017	The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail Threat Defense (MTD) 1.1 management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote attacker can use phishing or other social engineering techniques to access the management console with the privileges of an authenticated administrator user.
CVE-2016-5889	Hig	0.57	8.8	May 10, 2017	IBM Interact 8.6, 9.0, 9.1, and 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 115085.
CVE-2017-8874	Hig	0.57	8.8	May 10, 2017	Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
CVE-2017-5891	Hig	0.57	8.8	May 10, 2017	ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 have Login Page CSRF and Save Settings CSRF.
CVE-2017-7431	Hig	0.57	8.8	May 3, 2017	Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have persistent CSRF in object management.
CVE-2017-1194	Hig	0.57	8.8	Apr 28, 2017	IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123669.
CVE-2017-2102	Hig	0.57	8.8	Apr 28, 2017	Cross-site request forgery (CSRF) vulnerability in Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2017-2097	Hig	0.57	8.8	Apr 28, 2017	Cross-site request forgery (CSRF) vulnerability in Knowledge versions prior to v1.7.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2017-8101	Hig	0.57	8.8	Apr 24, 2017	There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
CVE-2016-3691	Hig	0.57	8.8	Apr 24, 2017	Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.
CVE-2016-0720	Hig	0.57	8.8	Apr 21, 2017	Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
CVE-2017-7951	Hig	0.57	8.8	Apr 21, 2017	WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
CVE-2017-7990	Hig	0.57	8.8	Apr 21, 2017	The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
CVE-2016-5401	Hig	0.57	8.8	Apr 20, 2017	Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.

CVE-2016-4884HigMay 12, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4882HigMay 12, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4881HigMay 12, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4879HigMay 12, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4878HigMay 12, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2016-4876HigMay 12, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors.
CVE-2016-9092HigMay 11, 2017
risk 0.57cvss 8.8epss 0.00
The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail Threat Defense (MTD) 1.1 management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote attacker can use phishing or other social engineering techniques to access the management console with the privileges of an authenticated administrator user.
CVE-2016-5889HigMay 10, 2017
risk 0.57cvss 8.8epss 0.00
IBM Interact 8.6, 9.0, 9.1, and 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 115085.
CVE-2017-8874HigMay 10, 2017
risk 0.57cvss 8.8epss 0.00
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
CVE-2017-5891HigMay 10, 2017
risk 0.57cvss 8.8epss 0.00
ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 have Login Page CSRF and Save Settings CSRF.
CVE-2017-7431HigMay 3, 2017
risk 0.57cvss 8.8epss 0.00
Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have persistent CSRF in object management.
CVE-2017-1194HigApr 28, 2017
risk 0.57cvss 8.8epss 0.00
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123669.
CVE-2017-2102HigApr 28, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2017-2097HigApr 28, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in Knowledge versions prior to v1.7.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2017-8101HigApr 24, 2017
risk 0.57cvss 8.8epss 0.00
There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
CVE-2016-3691HigApr 24, 2017
risk 0.57cvss 8.8epss 0.00
Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.
CVE-2016-0720HigApr 21, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
CVE-2017-7951HigApr 21, 2017
risk 0.57cvss 8.8epss 0.00
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
CVE-2017-7990HigApr 21, 2017
risk 0.57cvss 8.8epss 0.00
The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
CVE-2016-5401HigApr 20, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.