VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 226 of 286
  • CVE-2023-2608LowMay 17, 2023
    risk 0.20cvss 3.1epss 0.00

    The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and…

  • CVE-2022-41919MedNov 22, 2022
    risk 0.20cvss 4.2epss 0.00

    Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded",…

  • CVE-2024-41811LowAug 5, 2024
    risk 0.18cvss 3.9epss 0.00

    ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is…

  • CVE-2025-31957LowMay 6, 2026
    risk 0.17cvss 2.6epss 0.00

    HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.

  • CVE-2026-41663LowMay 7, 2026
    risk 0.16cvss 3.5epss 0.00

    Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies…

  • CVE-2025-3635LowApr 25, 2025
    risk 0.16cvss 3.5epss 0.00

    A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

  • CVE-2024-29338LowMar 22, 2024
    risk 0.16cvss 2.4epss 0.00

    Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/categories/delete/2.

  • CVE-2024-23319LowFeb 9, 2024
    risk 0.16cvss 3.5epss 0.00

    Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

  • CVE-2022-3274LowSep 22, 2022
    risk 0.16cvss 3.5epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.7.

  • CVE-2023-7048LowJan 11, 2024
    risk 0.13cvss 3.1epss 0.00

    The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger…

  • CVE-2024-4128LowMay 2, 2024
    risk 0.10cvss 2.6epss 0.00

    This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a…

  • CVE-2024-30252LowApr 4, 2024
    risk 0.10cvss 2.6epss 0.00

    Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An…

  • CVE-2025-8606LowOct 11, 2025
    risk 0.09cvss 2.4epss 0.00

    The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible…

  • CVE-2022-31000LowJun 1, 2022
    risk 0.08cvss 2.3epss 0.00

    solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its…

  • CVE-2015-6973Sep 16, 2015
    risk 0.08cvss epss 0.65

    Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted…

  • CVE-2015-2295Apr 10, 2015
    risk 0.08cvss epss 0.66

    Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter.

  • CVE-2007-0044Jan 3, 2007
    risk 0.07cvss epss 0.55

    Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following…

  • CVE-2017-1000479HigJan 3, 2018
    risk 0.06cvss 8.8epss 0.33

    pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork…

  • CVE-2011-4642Jan 3, 2012
    risk 0.05cvss epss 0.29

    mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as…

  • CVE-2025-14266LowDec 17, 2025
    risk 0.04cvss epss 0.00

    CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.