VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 22 of 286
  • CVE-2018-16314HigSep 1, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header.

  • CVE-2018-11718HigAug 30, 2018
    risk 0.57cvss 8.8epss 0.00

    Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF.

  • CVE-2018-15121HigAug 29, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

  • CVE-2018-15901HigAug 28, 2018
    risk 0.57cvss 8.8epss 0.01

    e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.

  • CVE-2018-15851HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add.

  • CVE-2018-15850HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user.

  • CVE-2018-15848HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true.

  • CVE-2018-15846HigAug 25, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in fledrCMS through 2014-02-03. There is a CSRF vulnerability that can change the administrator's password via index.php?p=done&savedata=1.

  • CVE-2018-10884HigAug 22, 2018
    risk 0.57cvss 8.8epss 0.01

    Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijacking the authtoken cookie.

  • CVE-2018-15568HigAug 20, 2018
    risk 0.57cvss 8.8epss 0.00

    tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html.

  • CVE-2018-15565HigAug 20, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in daveismyname simple-cms through 2014-03-11. admin/addpage.php does not require authentication for adding a page. This can also be exploited via CSRF.

  • CVE-2018-15564HigAug 20, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in daveismyname simple-cms through 2014-03-11. There is a CSRF vulnerability that can delete any page via admin/?delpage=8.

  • CVE-2018-2442HigAug 14, 2018
    risk 0.57cvss 8.8epss 0.01

    In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.

  • CVE-2018-7097HigAug 14, 2018
    risk 0.57cvss 8.8epss 0.01

    A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery.

  • CVE-2018-14783HigAug 10, 2018
    risk 0.57cvss 8.8epss 0.01

    NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.

  • CVE-2018-15186HigAug 10, 2018
    risk 0.57cvss 8.8epss 0.01

    PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF via client/auditor/updprofile.php.

  • CVE-2018-15198HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user.

  • CVE-2018-15197HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/AuthManager/addToGroup.html that can endow administrator privileges.

  • CVE-2018-15193HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.

  • CVE-2018-15177HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.