VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 225 of 286
  • CVE-2020-2186MedMay 6, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.

  • CVE-2020-2147MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2020-2141MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.

  • CVE-2019-12246MedFeb 19, 2020
    risk 0.21cvss 4.3epss 0.01

    SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.

  • CVE-2014-3655MedNov 13, 2019
    risk 0.21cvss 4.3epss 0.00

    JBoss KeyCloak is vulnerable to soft token deletion via CSRF

  • CVE-2019-10454MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-10441MedOct 16, 2019
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2019-7873MedAug 2, 2019
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can result in unintended deletion of the store design schedule.

  • CVE-2019-7857MedAug 2, 2019
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.

  • CVE-2019-1003010MedFeb 6, 2019
    risk 0.21cvss 4.3epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

  • CVE-2018-1000195MedJun 5, 2018
    risk 0.21cvss 4.3epss 0.02

    A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is…

  • CVE-2015-5335MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics…

  • CVE-2026-8022LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)

  • CVE-2026-4590LowMar 23, 2026
    risk 0.20cvss 3.1epss 0.00

    A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in…

  • CVE-2026-3193LowFeb 25, 2026
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The…

  • CVE-2025-52463LowJul 2, 2025
    risk 0.20cvss 3.1epss 0.00

    Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in.

  • CVE-2024-7501MedAug 16, 2024
    risk 0.20cvss 4.2epss 0.00

    The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for…

  • CVE-2024-3932LowApr 18, 2024
    risk 0.20cvss 3.1epss 0.00

    A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is…

  • CVE-2023-4301MedAug 21, 2023
    risk 0.20cvss 4.2epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-2599LowJun 9, 2023
    risk 0.20cvss 3.1epss 0.00

    The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and…