CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 22 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-16314 | Hig | 0.57 | 8.8 | 0.01 | Sep 1, 2018 | An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header. | ||
| CVE-2018-11718 | Hig | 0.57 | 8.8 | 0.00 | Aug 30, 2018 | Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF. | ||
| CVE-2018-15121 | — | Hig | 0.57 | 8.8 | 0.00 | Aug 29, 2018 | An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations. | |
| CVE-2018-15901 | Hig | 0.57 | 8.8 | 0.01 | Aug 28, 2018 | e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators. | ||
| CVE-2018-15851 | Hig | 0.57 | 8.8 | 0.01 | Aug 25, 2018 | An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add. | ||
| CVE-2018-15850 | Hig | 0.57 | 8.8 | 0.01 | Aug 25, 2018 | An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user. | ||
| CVE-2018-15848 | Hig | 0.57 | 8.8 | 0.00 | Aug 25, 2018 | An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true. | ||
| CVE-2018-15846 | Hig | 0.57 | 8.8 | 0.01 | Aug 25, 2018 | An issue was discovered in fledrCMS through 2014-02-03. There is a CSRF vulnerability that can change the administrator's password via index.php?p=done&savedata=1. | ||
| CVE-2018-10884 | Hig | 0.57 | 8.8 | 0.01 | Aug 22, 2018 | Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijacking the authtoken cookie. | ||
| CVE-2018-15568 | Hig | 0.57 | 8.8 | 0.00 | Aug 20, 2018 | tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html. | ||
| CVE-2018-15565 | Hig | 0.57 | 8.8 | 0.01 | Aug 20, 2018 | An issue was discovered in daveismyname simple-cms through 2014-03-11. admin/addpage.php does not require authentication for adding a page. This can also be exploited via CSRF. | ||
| CVE-2018-15564 | Hig | 0.57 | 8.8 | 0.00 | Aug 20, 2018 | An issue was discovered in daveismyname simple-cms through 2014-03-11. There is a CSRF vulnerability that can delete any page via admin/?delpage=8. | ||
| CVE-2018-2442 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2018 | In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid. | ||
| CVE-2018-7097 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2018 | A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery. | ||
| CVE-2018-14783 | Hig | 0.57 | 8.8 | 0.01 | Aug 10, 2018 | NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely. | ||
| CVE-2018-15186 | Hig | 0.57 | 8.8 | 0.01 | Aug 10, 2018 | PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF via client/auditor/updprofile.php. | ||
| CVE-2018-15198 | — | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user. | |
| CVE-2018-15197 | — | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/AuthManager/addToGroup.html that can endow administrator privileges. | |
| CVE-2018-15193 | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | ||
| CVE-2018-15177 | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account. |
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When verifying CSRF_TOKEN, if CSRF_TOKEN does not exist, only the Referer header is validated, which can be bypassed via an admincp.php substring in this header.
- risk 0.57cvss 8.8epss 0.00
Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
- risk 0.57cvss 8.8epss 0.01
e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in fledrCMS through 2014-02-03. There is a CSRF vulnerability that can change the administrator's password via index.php?p=done&savedata=1.
- risk 0.57cvss 8.8epss 0.01
Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijacking the authtoken cookie.
- risk 0.57cvss 8.8epss 0.00
tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in daveismyname simple-cms through 2014-03-11. admin/addpage.php does not require authentication for adding a page. This can also be exploited via CSRF.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in daveismyname simple-cms through 2014-03-11. There is a CSRF vulnerability that can delete any page via admin/?delpage=8.
- risk 0.57cvss 8.8epss 0.01
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid.
- risk 0.57cvss 8.8epss 0.01
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery.
- risk 0.57cvss 8.8epss 0.01
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.
- risk 0.57cvss 8.8epss 0.01
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF via client/auditor/updprofile.php.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/AuthManager/addToGroup.html that can endow administrator privileges.
- risk 0.57cvss 8.8epss 0.01
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.
- risk 0.57cvss 8.8epss 0.01
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.