CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 20 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17986 | Hig | 0.57 | 8.8 | 0.01 | Oct 5, 2018 | rars/user/data in razorCMS 3.4.8 allows CSRF for changing the password of an admin user. | ||
| CVE-2018-5921 | Hig | 0.57 | 8.8 | 0.01 | Oct 3, 2018 | A potential security vulnerability has been identified with certain HP printers and MFPs in 2405129_000052 and other firmware versions. This vulnerability is known as Cross Site Request Forgery, and could potentially be exploited remotely to allow elevation of privilege. | ||
| CVE-2018-17869 | Hig | 0.57 | 8.8 | 0.00 | Oct 1, 2018 | DASAN H660GW devices do not implement any CSRF protection mechanism. | ||
| CVE-2018-15702 | Hig | 0.57 | 8.8 | 0.00 | Oct 1, 2018 | The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to CSRF due to insufficient validation of the referer field. | ||
| CVE-2018-17826 | Hig | 0.57 | 8.8 | 0.00 | Oct 1, 2018 | HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types… | ||
| CVE-2018-8844 | Hig | 0.57 | 8.8 | 0.01 | Sep 26, 2018 | Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. | ||
| CVE-2018-17366 | — | Hig | 0.57 | 8.8 | 0.01 | Sep 23, 2018 | An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. | |
| CVE-2018-6504 | Hig | 0.57 | 8.8 | 0.01 | Sep 20, 2018 | A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF). | ||
| CVE-2018-16952 | Hig | 0.57 | 8.8 | 0.01 | Sep 18, 2018 | The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NOTE: this CVE is assigned by MITRE and isn't validated by… | ||
| CVE-2018-17103 | Hig | 0.57 | 8.8 | 0.01 | Sep 16, 2018 | An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter | ||
| CVE-2018-17102 | — | Hig | 0.57 | 8.8 | 0.01 | Sep 16, 2018 | An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI. | |
| CVE-2018-17045 | Hig | 0.57 | 8.8 | 0.00 | Sep 14, 2018 | An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vulnerability that can change the administrator password via admin/modul/users/aksi_users.php?act=update. | ||
| CVE-2018-17023 | Hig | 0.57 | 8.8 | 0.01 | Sep 13, 2018 | Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm. | ||
| CVE-2018-16732 | Hig | 0.57 | 8.8 | 0.01 | Sep 8, 2018 | \upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save. | ||
| CVE-2018-0647 | Hig | 0.57 | 8.8 | 0.01 | Sep 7, 2018 | Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | ||
| CVE-2018-16650 | — | Hig | 0.57 | 8.8 | 0.01 | Sep 7, 2018 | phpMyFAQ before 2.9.11 allows CSRF. | |
| CVE-2018-1000669 | Hig | 0.57 | 8.8 | 0.00 | Sep 6, 2018 | KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in… | ||
| CVE-2018-16552 | — | Hig | 0.57 | 8.8 | 0.01 | Sep 5, 2018 | MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs. | |
| CVE-2018-15682 | Hig | 0.57 | 8.8 | 0.01 | Sep 5, 2018 | An issue was discovered in BTITeam XBTIT. Due to a lack of cross-site request forgery protection, it is possible to automate the action of sending private messages to users by luring an authenticated user to a web page that automatically submits a form on their behalf. | ||
| CVE-2018-14769 | Hig | 0.57 | 8.8 | 0.00 | Sep 5, 2018 | VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF. |
- risk 0.57cvss 8.8epss 0.01
rars/user/data in razorCMS 3.4.8 allows CSRF for changing the password of an admin user.
- risk 0.57cvss 8.8epss 0.01
A potential security vulnerability has been identified with certain HP printers and MFPs in 2405129_000052 and other firmware versions. This vulnerability is known as Cross Site Request Forgery, and could potentially be exploited remotely to allow elevation of privilege.
- risk 0.57cvss 8.8epss 0.00
DASAN H660GW devices do not implement any CSRF protection mechanism.
- risk 0.57cvss 8.8epss 0.00
The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to CSRF due to insufficient validation of the referer field.
- risk 0.57cvss 8.8epss 0.00
HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types…
- risk 0.57cvss 8.8epss 0.01
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
- risk 0.57cvss 8.8epss 0.01
A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).
- risk 0.57cvss 8.8epss 0.01
The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NOTE: this CVE is assigned by MITRE and isn't validated by…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vulnerability that can change the administrator password via admin/modul/users/aksi_users.php?act=update.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.
- risk 0.57cvss 8.8epss 0.01
\upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
- risk 0.57cvss 8.8epss 0.01
phpMyFAQ before 2.9.11 allows CSRF.
- risk 0.57cvss 8.8epss 0.00
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in…
- risk 0.57cvss 8.8epss 0.01
MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in BTITeam XBTIT. Due to a lack of cross-site request forgery protection, it is possible to automate the action of sending private messages to users by luring an authenticated user to a web page that automatically submits a form on their behalf.
- risk 0.57cvss 8.8epss 0.00
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.