VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 20 of 286
  • CVE-2018-17986HigOct 5, 2018
    risk 0.57cvss 8.8epss 0.01

    rars/user/data in razorCMS 3.4.8 allows CSRF for changing the password of an admin user.

  • CVE-2018-5921HigOct 3, 2018
    risk 0.57cvss 8.8epss 0.01

    A potential security vulnerability has been identified with certain HP printers and MFPs in 2405129_000052 and other firmware versions. This vulnerability is known as Cross Site Request Forgery, and could potentially be exploited remotely to allow elevation of privilege.

  • CVE-2018-17869HigOct 1, 2018
    risk 0.57cvss 8.8epss 0.00

    DASAN H660GW devices do not implement any CSRF protection mechanism.

  • CVE-2018-15702HigOct 1, 2018
    risk 0.57cvss 8.8epss 0.00

    The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to CSRF due to insufficient validation of the referer field.

  • CVE-2018-17826HigOct 1, 2018
    risk 0.57cvss 8.8epss 0.00

    HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add an administrator account. The attacker can then use that account to execute arbitrary PHP code by leveraging app/common/model/AdminAnnex.php to add .php to the default list of allowable file-upload types…

  • CVE-2018-8844HigSep 26, 2018
    risk 0.57cvss 8.8epss 0.01

    Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

  • CVE-2018-17366HigSep 23, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.

  • CVE-2018-6504HigSep 20, 2018
    risk 0.57cvss 8.8epss 0.01

    A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).

  • CVE-2018-16952HigSep 18, 2018
    risk 0.57cvss 8.8epss 0.01

    The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password). NOTE: this CVE is assigned by MITRE and isn't validated by…

  • CVE-2018-17103HigSep 16, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter

  • CVE-2018-17102HigSep 16, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI.

  • CVE-2018-17045HigSep 14, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vulnerability that can change the administrator password via admin/modul/users/aksi_users.php?act=update.

  • CVE-2018-17023HigSep 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.

  • CVE-2018-16732HigSep 8, 2018
    risk 0.57cvss 8.8epss 0.01

    \upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save.

  • CVE-2018-0647HigSep 7, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

  • CVE-2018-16650HigSep 7, 2018
    risk 0.57cvss 8.8epss 0.01

    phpMyFAQ before 2.9.11 allows CSRF.

  • CVE-2018-1000669HigSep 6, 2018
    risk 0.57cvss 8.8epss 0.00

    KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in…

  • CVE-2018-16552HigSep 5, 2018
    risk 0.57cvss 8.8epss 0.01

    MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.

  • CVE-2018-15682HigSep 5, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in BTITeam XBTIT. Due to a lack of cross-site request forgery protection, it is possible to automate the action of sending private messages to users by luring an authenticated user to a web page that automatically submits a form on their behalf.

  • CVE-2018-14769HigSep 5, 2018
    risk 0.57cvss 8.8epss 0.00

    VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.