CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 212 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16862 | Med | 0.28 | 4.3 | 0.01 | Jan 12, 2018 | The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability. | ||
| CVE-2016-4909 | Med | 0.28 | 4.3 | 0.01 | Jun 9, 2017 | Cross-site request forgery (CSRF) vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to hijack the authentication of a logged in user to force a logout via unspecified vectors. | ||
| CVE-2017-7491 | Med | 0.28 | 4.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. | ||
| CVE-2017-6918 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | ||
| CVE-2017-6917 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed. | ||
| CVE-2017-6916 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | ||
| CVE-2017-6915 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | ||
| CVE-2016-9730 | Med | 0.28 | 4.3 | 0.00 | Mar 7, 2017 | IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1999549. | ||
| CVE-2016-8504 | Med | 0.28 | 4.3 | 0.01 | Oct 26, 2016 | CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile. | ||
| CVE-2016-1175 | Med | 0.28 | 4.3 | 0.01 | Apr 5, 2016 | Cross-site request forgery (CSRF) vulnerability in AQUOS Photo Player HN-PP150 1.02.00.04 through 1.03.01.04 allows remote attackers to hijack the authentication of arbitrary users. | ||
| CVE-2005-1947 | Med | 0.28 | 4.3 | 0.00 | Jun 9, 2005 | Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions. | ||
| CVE-2018-25370 | Med | 0.27 | 5.3 | 0.00 | May 25, 2026 | Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles,… | ||
| CVE-2026-42190 | Med | 0.27 | 5.3 | 0.00 | May 8, 2026 | RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a… | ||
| CVE-2024-13555 | Med | 0.27 | 5.3 | 0.00 | Feb 18, 2025 | The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes… | ||
| CVE-2024-41597 | Med | 0.27 | 4.2 | 0.00 | Jul 19, 2024 | Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality. | ||
| CVE-2024-3215 | Med | 0.27 | 5.3 | 0.00 | May 2, 2024 | The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the… | ||
| CVE-2023-27495 | Med | 0.27 | 5.3 | 0.00 | Apr 20, 2023 | @fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions.… | ||
| CVE-2021-21395 | Med | 0.27 | 4.2 | 0.00 | Jan 27, 2023 | Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is… | ||
| CVE-2021-43846 | Med | 0.27 | 5.3 | 0.01 | Dec 20, 2021 | `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without… | ||
| CVE-2021-39198 | — | Med | 0.27 | 4.2 | 0.00 | Nov 19, 2021 | OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this… |
- risk 0.28cvss 4.3epss 0.01
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
- risk 0.28cvss 4.3epss 0.01
Cross-site request forgery (CSRF) vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to hijack the authentication of a logged in user to force a logout via unspecified vectors.
- risk 0.28cvss 4.3epss 0.01
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
- risk 0.28cvss 4.3epss 0.00
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
- risk 0.28cvss 4.3epss 0.00
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
- risk 0.28cvss 4.3epss 0.00
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
- risk 0.28cvss 4.3epss 0.00
CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.
- risk 0.28cvss 4.3epss 0.00
IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1999549.
- risk 0.28cvss 4.3epss 0.01
CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile.
- risk 0.28cvss 4.3epss 0.01
Cross-site request forgery (CSRF) vulnerability in AQUOS Photo Player HN-PP150 1.02.00.04 through 1.03.01.04 allows remote attackers to hijack the authentication of arbitrary users.
- risk 0.28cvss 4.3epss 0.00
Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions.
- risk 0.27cvss 5.3epss 0.00
Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles,…
- risk 0.27cvss 5.3epss 0.00
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a…
- risk 0.27cvss 5.3epss 0.00
The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes…
- risk 0.27cvss 4.2epss 0.00
Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.
- risk 0.27cvss 5.3epss 0.00
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the…
- risk 0.27cvss 5.3epss 0.00
@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions.…
- risk 0.27cvss 4.2epss 0.00
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is…
- risk 0.27cvss 5.3epss 0.01
`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without…
- risk 0.27cvss 4.2epss 0.00
OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this…