CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 225 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2186 | Med | 0.21 | 4.3 | 0.01 | May 6, 2020 | A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances. | ||
| CVE-2020-2147 | Med | 0.21 | 4.3 | 0.01 | Mar 9, 2020 | A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. | ||
| CVE-2020-2141 | Med | 0.21 | 4.3 | 0.01 | Mar 9, 2020 | A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce. | ||
| CVE-2019-12246 | — | Med | 0.21 | 4.3 | 0.01 | Feb 19, 2020 | SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools. | |
| CVE-2014-3655 | — | Med | 0.21 | 4.3 | 0.00 | Nov 13, 2019 | JBoss KeyCloak is vulnerable to soft token deletion via CSRF | |
| CVE-2019-10454 | Med | 0.21 | 4.3 | 0.01 | Oct 16, 2019 | A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-10441 | Med | 0.21 | 4.3 | 0.01 | Oct 16, 2019 | A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2019-7873 | Med | 0.21 | 4.3 | 0.00 | Aug 2, 2019 | A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule. | ||
| CVE-2019-7857 | Med | 0.21 | 4.3 | 0.00 | Aug 2, 2019 | A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation. | ||
| CVE-2019-1003010 | Med | 0.21 | 4.3 | 0.01 | Feb 6, 2019 | A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. | ||
| CVE-2018-1000195 | — | Med | 0.21 | 4.3 | 0.02 | Jun 5, 2018 | A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is… | |
| CVE-2015-5335 | Med | 0.21 | 4.3 | 0.01 | Feb 22, 2016 | Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics… | ||
| CVE-2026-8022 | Low | 0.20 | 3.1 | 0.00 | May 6, 2026 | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low) | ||
| CVE-2026-4590 | Low | 0.20 | 3.1 | 0.00 | Mar 23, 2026 | A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in… | ||
| CVE-2026-3193 | Low | 0.20 | 3.1 | 0.00 | Feb 25, 2026 | A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The… | ||
| CVE-2025-52463 | Low | 0.20 | 3.1 | 0.00 | Jul 2, 2025 | Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in. | ||
| CVE-2024-7501 | Med | 0.20 | 4.2 | 0.00 | Aug 16, 2024 | The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for… | ||
| CVE-2024-3932 | Low | 0.20 | 3.1 | 0.00 | Apr 18, 2024 | A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is… | ||
| CVE-2023-4301 | Med | 0.20 | 4.2 | 0.00 | Aug 21, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | ||
| CVE-2023-2599 | Low | 0.20 | 3.1 | 0.00 | Jun 9, 2023 | The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and… |
- risk 0.21cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
- risk 0.21cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
- risk 0.21cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.
- risk 0.21cvss 4.3epss 0.01
SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
- risk 0.21cvss 4.3epss 0.00
JBoss KeyCloak is vulnerable to soft token deletion via CSRF
- risk 0.21cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.21cvss 4.3epss 0.01
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.21cvss 4.3epss 0.00
A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.
- risk 0.21cvss 4.3epss 0.00
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.
- risk 0.21cvss 4.3epss 0.01
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
- risk 0.21cvss 4.3epss 0.02
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is…
- risk 0.21cvss 4.3epss 0.01
Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics…
- risk 0.20cvss 3.1epss 0.00
Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)
- risk 0.20cvss 3.1epss 0.00
A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in…
- risk 0.20cvss 3.1epss 0.00
A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The…
- risk 0.20cvss 3.1epss 0.00
Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in.
- risk 0.20cvss 4.2epss 0.00
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for…
- risk 0.20cvss 3.1epss 0.00
A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is…
- risk 0.20cvss 4.2epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- risk 0.20cvss 3.1epss 0.00
The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and…