CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 21 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16448 | Hig | 0.57 | 8.8 | 0.00 | Sep 4, 2018 | Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save. | ||
| CVE-2018-16447 | Hig | 0.57 | 8.8 | 0.01 | Sep 4, 2018 | Frog CMS 0.9.5 has admin/?/user/edit/1 CSRF. | ||
| CVE-2018-16431 | Hig | 0.57 | 8.8 | 0.01 | Sep 4, 2018 | admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account. | ||
| CVE-2018-16416 | Hig | 0.57 | 8.8 | 0.01 | Sep 3, 2018 | Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password. | ||
| CVE-2018-16387 | — | Hig | 0.57 | 8.8 | 0.01 | Sep 3, 2018 | An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add. | |
| CVE-2018-16380 | — | Hig | 0.57 | 8.8 | 0.01 | Sep 3, 2018 | An issue was discovered in Ogma CMS 0.4 Beta. There is a CSRF vulnerability in users.php?action=createnew that can add an admin account. | |
| CVE-2018-16366 | Hig | 0.57 | 8.8 | 0.01 | Sep 2, 2018 | An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=user&do=save allows CSRF. | ||
| CVE-2018-16365 | Hig | 0.57 | 8.8 | 0.01 | Sep 2, 2018 | An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF. | ||
| CVE-2018-16345 | Hig | 0.57 | 8.8 | 0.01 | Sep 2, 2018 | An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent. | ||
| CVE-2018-16339 | Hig | 0.57 | 8.8 | 0.01 | Sep 2, 2018 | An issue was discovered in EmpireCMS 7.0. There is a CSRF vulnerability that can add administrators via upload/e/admin/user/AddUser.php?enews=AddUser. | ||
| CVE-2018-16338 | Hig | 0.57 | 8.8 | 0.00 | Sep 2, 2018 | An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerability that can change the administrator's password via admin.php?mod=users and subsequently add a page or menu, or submit a topic. | ||
| CVE-2018-16332 | Hig | 0.57 | 8.8 | 0.01 | Sep 2, 2018 | An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=article&do=update CSRF vulnerability. | ||
| CVE-2018-16331 | Hig | 0.57 | 8.8 | 0.01 | Sep 2, 2018 | admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to change the administrator account's password. | ||
| CVE-2018-16314 | Hig | 0.57 | 8.8 | 0.01 | Sep 1, 2018 | An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header. | ||
| CVE-2018-11718 | Hig | 0.57 | 8.8 | 0.00 | Aug 30, 2018 | Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF. | ||
| CVE-2018-15121 | — | Hig | 0.57 | 8.8 | 0.00 | Aug 29, 2018 | An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations. | |
| CVE-2018-15901 | Hig | 0.57 | 8.8 | 0.01 | Aug 28, 2018 | e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators. | ||
| CVE-2018-15851 | Hig | 0.57 | 8.8 | 0.01 | Aug 25, 2018 | An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add. | ||
| CVE-2018-15850 | Hig | 0.57 | 8.8 | 0.01 | Aug 25, 2018 | An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user. | ||
| CVE-2018-15848 | Hig | 0.57 | 8.8 | 0.00 | Aug 25, 2018 | An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true. |
- risk 0.57cvss 8.8epss 0.00
Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.
- risk 0.57cvss 8.8epss 0.01
Frog CMS 0.9.5 has admin/?/user/edit/1 CSRF.
- risk 0.57cvss 8.8epss 0.01
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Ogma CMS 0.4 Beta. There is a CSRF vulnerability in users.php?action=createnew that can add an admin account.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=user&do=save allows CSRF.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in EmpireCMS 7.0. There is a CSRF vulnerability that can add administrators via upload/e/admin/user/AddUser.php?enews=AddUser.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerability that can change the administrator's password via admin.php?mod=users and subsequently add a page or menu, or submit a topic.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=article&do=update CSRF vulnerability.
- risk 0.57cvss 8.8epss 0.01
admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to change the administrator account's password.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header.
- risk 0.57cvss 8.8epss 0.00
Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
- risk 0.57cvss 8.8epss 0.01
e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true.