VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 212 of 286
  • CVE-2017-16862MedJan 12, 2018
    risk 0.28cvss 4.3epss 0.01

    The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2016-4909MedJun 9, 2017
    risk 0.28cvss 4.3epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to hijack the authentication of a logged in user to force a logout via unspecified vectors.

  • CVE-2017-7491MedMay 15, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

  • CVE-2017-6918MedMar 15, 2017
    risk 0.28cvss 4.3epss 0.00

    CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.

  • CVE-2017-6917MedMar 15, 2017
    risk 0.28cvss 4.3epss 0.00

    CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.

  • CVE-2017-6916MedMar 15, 2017
    risk 0.28cvss 4.3epss 0.00

    CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.

  • CVE-2017-6915MedMar 15, 2017
    risk 0.28cvss 4.3epss 0.00

    CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.

  • CVE-2016-9730MedMar 7, 2017
    risk 0.28cvss 4.3epss 0.00

    IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1999549.

  • CVE-2016-8504MedOct 26, 2016
    risk 0.28cvss 4.3epss 0.01

    CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile.

  • CVE-2016-1175MedApr 5, 2016
    risk 0.28cvss 4.3epss 0.01

    Cross-site request forgery (CSRF) vulnerability in AQUOS Photo Player HN-PP150 1.02.00.04 through 1.03.01.04 allows remote attackers to hijack the authentication of arbitrary users.

  • CVE-2005-1947MedJun 9, 2005
    risk 0.28cvss 4.3epss 0.00

    Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions.

  • CVE-2018-25370MedMay 25, 2026
    risk 0.27cvss 5.3epss 0.00

    Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles,…

  • CVE-2026-42190MedMay 8, 2026
    risk 0.27cvss 5.3epss 0.00

    RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a…

  • CVE-2024-13555MedFeb 18, 2025
    risk 0.27cvss 5.3epss 0.00

    The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes…

  • CVE-2024-41597MedJul 19, 2024
    risk 0.27cvss 4.2epss 0.00

    Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.

  • CVE-2024-3215MedMay 2, 2024
    risk 0.27cvss 5.3epss 0.00

    The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the…

  • CVE-2023-27495MedApr 20, 2023
    risk 0.27cvss 5.3epss 0.00

    @fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions.…

  • CVE-2021-21395MedJan 27, 2023
    risk 0.27cvss 4.2epss 0.00

    Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is…

  • CVE-2021-43846MedDec 20, 2021
    risk 0.27cvss 5.3epss 0.01

    `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without…

  • CVE-2021-39198MedNov 19, 2021
    risk 0.27cvss 4.2epss 0.00

    OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this…