VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 21 of 286
  • CVE-2018-16448HigSep 4, 2018
    risk 0.57cvss 8.8epss 0.00

    Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save.

  • CVE-2018-16447HigSep 4, 2018
    risk 0.57cvss 8.8epss 0.01

    Frog CMS 0.9.5 has admin/?/user/edit/1 CSRF.

  • CVE-2018-16431HigSep 4, 2018
    risk 0.57cvss 8.8epss 0.01

    admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.

  • CVE-2018-16416HigSep 3, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to change the administrator's password.

  • CVE-2018-16387HigSep 3, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add.

  • CVE-2018-16380HigSep 3, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Ogma CMS 0.4 Beta. There is a CSRF vulnerability in users.php?action=createnew that can add an admin account.

  • CVE-2018-16366HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=user&do=save allows CSRF.

  • CVE-2018-16365HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=group&do=save allows CSRF.

  • CVE-2018-16345HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability that can update the admin password via index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent.

  • CVE-2018-16339HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in EmpireCMS 7.0. There is a CSRF vulnerability that can add administrators via upload/e/admin/user/AddUser.php?enews=AddUser.

  • CVE-2018-16338HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerability that can change the administrator's password via admin.php?mod=users and subsequently add a page or menu, or submit a topic.

  • CVE-2018-16332HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=article&do=update CSRF vulnerability.

  • CVE-2018-16331HigSep 2, 2018
    risk 0.57cvss 8.8epss 0.01

    admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to change the administrator account's password.

  • CVE-2018-16314HigSep 1, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header.

  • CVE-2018-11718HigAug 30, 2018
    risk 0.57cvss 8.8epss 0.00

    Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF.

  • CVE-2018-15121HigAug 29, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

  • CVE-2018-15901HigAug 28, 2018
    risk 0.57cvss 8.8epss 0.01

    e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.

  • CVE-2018-15851HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add.

  • CVE-2018-15850HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user.

  • CVE-2018-15848HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true.