CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

CWE-345

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (4,552)

page 22 of 228

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2016-3029	Hig	0.57	8.8	0.00	Feb 1, 2017	IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2017-3794	Hig	0.57	8.8	0.00	Jan 26, 2017	A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user. More Information: CSCuz03317. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.12.
CVE-2016-9218	Hig	0.57	8.8	0.00	Jan 26, 2017	A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Known Affected Releases: 1.0.
CVE-2016-6521	Hig	0.57	8.8	0.00	Jan 23, 2017	Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors.
CVE-2016-3406	Hig	0.57	8.8	0.00	Jan 18, 2017	Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456.
CVE-2017-5492	Hig	0.57	8.8	0.01	Jan 15, 2017	Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
CVE-2017-5489	Hig	0.57	8.8	0.01	Jan 15, 2017	Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
CVE-2017-5476	Hig	0.57	8.8	0.00	Jan 14, 2017	Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
CVE-2017-5475	Hig	0.57	8.8	0.00	Jan 14, 2017	comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
CVE-2016-7885	Hig	0.57	8.8	0.01	Dec 15, 2016	Adobe Experience Manager versions 6.2 and earlier have a vulnerability that could be used in Cross-Site Request Forgery attacks.
CVE-2016-6468	Hig	0.57	8.8	0.00	Dec 14, 2016	A vulnerability in the web-based management interface of Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. More Information: CSCvb06663. Known Affected Releases: 11.5(1.10000.4). Known Fixed Releases: 12.0(0.98000.14).
CVE-2016-2963	Hig	0.57	8.8	0.00	Nov 30, 2016	Cross-site request forgery (CSRF) vulnerability in IBM BigFix Remote Control before 9.1.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
CVE-2016-8673	Hig	0.57	8.8	0.00	Nov 23, 2016	A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.0.53), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.2.17), SIMATIC S7-300 PN/DP CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants) (All versions). The integrated web server at port 80/TCP or port 443/TCP of the affected devices could allow remote attackers to perform actions with the permissions of an authenticated user, provided the targeted user has an active session and is induced to trigger the malicious request.
CVE-2016-6444	Hig	0.57	8.8	0.00	Oct 27, 2016	A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a Web Bridge user. More Information: CSCvb03308. Known Affected Releases: 1.8, 1.9, 2.0.
CVE-2016-6442	Hig	0.57	8.8	0.00	Oct 27, 2016	A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvb57213. Known Affected Releases: 11.0(1).
CVE-2016-1000213	Hig	0.57	8.8	0.00	Oct 25, 2016	Ruckus Wireless H500 web management interface CSRF
CVE-2016-6427	Hig	0.57	8.8	0.00	Oct 6, 2016	Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCuy75036 and CSCuy81654.
CVE-2016-6417	Hig	0.57	8.8	0.00	Oct 5, 2016	Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT System Software 4.10.2 through 6.1.0 and Firepower Management Center allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCva21636.
CVE-2016-3007	Hig	0.57	8.8	0.00	Sep 26, 2016	Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users.
CVE-2016-7034	Hig	0.57	8.8	0.00	Sep 7, 2016	The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.

CVE-2016-3029HigFeb 1, 2017
risk 0.57cvss 8.8epss 0.00
IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVE-2017-3794HigJan 26, 2017
risk 0.57cvss 8.8epss 0.00
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user. More Information: CSCuz03317. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.12.
CVE-2016-9218HigJan 26, 2017
risk 0.57cvss 8.8epss 0.00
A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Known Affected Releases: 1.0.
CVE-2016-6521HigJan 23, 2017
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors.
CVE-2016-3406HigJan 18, 2017
risk 0.57cvss 8.8epss 0.00
Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456.
CVE-2017-5492HigJan 15, 2017
risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
CVE-2017-5489HigJan 15, 2017
risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
CVE-2017-5476HigJan 14, 2017
risk 0.57cvss 8.8epss 0.00
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
CVE-2017-5475HigJan 14, 2017
risk 0.57cvss 8.8epss 0.00
comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
CVE-2016-7885HigDec 15, 2016
risk 0.57cvss 8.8epss 0.01
Adobe Experience Manager versions 6.2 and earlier have a vulnerability that could be used in Cross-Site Request Forgery attacks.
CVE-2016-6468HigDec 14, 2016
risk 0.57cvss 8.8epss 0.00
A vulnerability in the web-based management interface of Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. More Information: CSCvb06663. Known Affected Releases: 11.5(1.10000.4). Known Fixed Releases: 12.0(0.98000.14).
CVE-2016-2963HigNov 30, 2016
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in IBM BigFix Remote Control before 9.1.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
CVE-2016-8673HigNov 23, 2016
risk 0.57cvss 8.8epss 0.00
A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.0.53), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.2.17), SIMATIC S7-300 PN/DP CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants) (All versions). The integrated web server at port 80/TCP or port 443/TCP of the affected devices could allow remote attackers to perform actions with the permissions of an authenticated user, provided the targeted user has an active session and is induced to trigger the malicious request.
CVE-2016-6444HigOct 27, 2016
risk 0.57cvss 8.8epss 0.00
A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a Web Bridge user. More Information: CSCvb03308. Known Affected Releases: 1.8, 1.9, 2.0.
CVE-2016-6442HigOct 27, 2016
risk 0.57cvss 8.8epss 0.00
A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvb57213. Known Affected Releases: 11.0(1).
CVE-2016-1000213HigOct 25, 2016
risk 0.57cvss 8.8epss 0.00
Ruckus Wireless H500 web management interface CSRF
CVE-2016-6427HigOct 6, 2016
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCuy75036 and CSCuy81654.
CVE-2016-6417HigOct 5, 2016
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT System Software 4.10.2 through 6.1.0 and Firepower Management Center allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCva21636.
CVE-2016-3007HigSep 26, 2016
risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users.
CVE-2016-7034HigSep 7, 2016
risk 0.57cvss 8.8epss 0.00
The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token.