CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 227 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-3539 | 0.04 | — | 0.09 | Oct 1, 2013 | Cross-site request forgery (CSRF) vulnerability in the command/user.cgi in Sony SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T, SNC DH280, and possibly other camera models allows remote attackers to hijack the authentication… | |||
| CVE-2013-5696 | 0.04 | — | 0.08 | Sep 23, 2013 | inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or… | |||
| CVE-2011-2522 | 0.04 | — | 0.10 | Jul 29, 2011 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4)… | |||
| CVE-2010-3213 | 0.04 | — | 0.09 | Sep 7, 2010 | Cross-site request forgery (CSRF) vulnerability in Microsoft Outlook Web Access (owa/ev.owa) 2007 through SP2 allows remote attackers to hijack the authentication of e-mail users for requests that perform Outlook requests, as demonstrated by setting the auto-forward rule. | |||
| CVE-2009-0037 | 0.04 | — | 0.08 | Mar 5, 2009 | The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via… | |||
| CVE-2008-4128 | 0.04 | — | 0.12 | Sep 18, 2008 | Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI,… | |||
| CVE-2025-54782 | 0.03 | — | 0.44 | Aug 1, 2025 | Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP… | |||
| CVE-2019-10874 | Hig | 0.03 | 8.8 | 0.05 | Apr 5, 2019 | Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file. | ||
| CVE-2015-7984 | 0.03 | — | 0.04 | Nov 19, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1)… | |||
| CVE-2015-5999 | 0.03 | — | 0.03 | Nov 18, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network… | |||
| CVE-2015-5534 | 0.03 | — | 0.02 | Nov 2, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2) conduct cross-site scripting… | |||
| CVE-2015-6493 | 0.03 | — | 0.01 | Oct 28, 2015 | Cross-site request forgery (CSRF) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. | |||
| CVE-2015-5075 | — | 0.03 | — | 0.03 | Sep 29, 2015 | Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create. | ||
| CVE-2015-6965 | 0.03 | — | 0.03 | Sep 16, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4)… | |||
| CVE-2015-6944 | 0.03 | — | 0.02 | Sep 15, 2015 | Cross-site request forgery (CSRF) vulnerability in JSP/MySQL Administrador Web 1 allows remote attackers to hijack the authentication of users for requests that execute arbitrary SQL commands via the cmd parameter to sys/sys/listaBD2.jsp. | |||
| CVE-2015-6827 | 0.03 | — | 0.02 | Sep 11, 2015 | Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php. | |||
| CVE-2015-6655 | 0.03 | — | 0.02 | Aug 31, 2015 | Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via a request to admin/admin_users.php. | |||
| CVE-2015-6517 | 0.03 | — | 0.03 | Aug 18, 2015 | Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 allows remote attackers to hijack the authentication of users for requests that drop database tables via the droptable parameter to phpliteadmin.php. | |||
| CVE-2015-4460 | 0.03 | — | 0.03 | Jul 16, 2015 | Cross-site request forgery (CSRF) vulnerability in SecuritySetting/UserSecurity/UserManagement.aspx in B.A.S C2Box before 4.0.0 (r19171) allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via certain vectors. | |||
| CVE-2015-5530 | 0.03 | — | 0.01 | Jul 16, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/create/. |
- CVE-2013-3539Oct 1, 2013risk 0.04cvss —epss 0.09
Cross-site request forgery (CSRF) vulnerability in the command/user.cgi in Sony SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T, SNC DH280, and possibly other camera models allows remote attackers to hijack the authentication…
- CVE-2013-5696Sep 23, 2013risk 0.04cvss —epss 0.08
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or…
- CVE-2011-2522Jul 29, 2011risk 0.04cvss —epss 0.10
Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4)…
- CVE-2010-3213Sep 7, 2010risk 0.04cvss —epss 0.09
Cross-site request forgery (CSRF) vulnerability in Microsoft Outlook Web Access (owa/ev.owa) 2007 through SP2 allows remote attackers to hijack the authentication of e-mail users for requests that perform Outlook requests, as demonstrated by setting the auto-forward rule.
- CVE-2009-0037Mar 5, 2009risk 0.04cvss —epss 0.08
The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via…
- CVE-2008-4128Sep 18, 2008risk 0.04cvss —epss 0.12
Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI,…
- CVE-2025-54782Aug 1, 2025risk 0.03cvss —epss 0.44
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP…
- risk 0.03cvss 8.8epss 0.05
Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file.
- CVE-2015-7984Nov 19, 2015risk 0.03cvss —epss 0.04
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1)…
- CVE-2015-5999Nov 18, 2015risk 0.03cvss —epss 0.03
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network…
- CVE-2015-5534Nov 2, 2015risk 0.03cvss —epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2) conduct cross-site scripting…
- CVE-2015-6493Oct 28, 2015risk 0.03cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
- CVE-2015-5075Sep 29, 2015risk 0.03cvss —epss 0.03
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
- CVE-2015-6965Sep 16, 2015risk 0.03cvss —epss 0.03
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4)…
- CVE-2015-6944Sep 15, 2015risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in JSP/MySQL Administrador Web 1 allows remote attackers to hijack the authentication of users for requests that execute arbitrary SQL commands via the cmd parameter to sys/sys/listaBD2.jsp.
- CVE-2015-6827Sep 11, 2015risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php.
- CVE-2015-6655Aug 31, 2015risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via a request to admin/admin_users.php.
- CVE-2015-6517Aug 18, 2015risk 0.03cvss —epss 0.03
Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 allows remote attackers to hijack the authentication of users for requests that drop database tables via the droptable parameter to phpliteadmin.php.
- CVE-2015-4460Jul 16, 2015risk 0.03cvss —epss 0.03
Cross-site request forgery (CSRF) vulnerability in SecuritySetting/UserSecurity/UserManagement.aspx in B.A.S C2Box before 4.0.0 (r19171) allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via certain vectors.
- CVE-2015-5530Jul 16, 2015risk 0.03cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/create/.