CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 23 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-7464 | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used. | ||
| CVE-2018-7060 | Hig | 0.57 | 8.8 | 0.00 | Aug 6, 2018 | Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface. | ||
| CVE-2018-14978 | Hig | 0.57 | 8.8 | 0.00 | Aug 6, 2018 | An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI. | ||
| CVE-2018-14966 | Hig | 0.57 | 8.8 | 0.00 | Aug 6, 2018 | An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF. | ||
| CVE-2018-14965 | Hig | 0.57 | 8.8 | 0.00 | Aug 6, 2018 | An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF. | ||
| CVE-2018-14963 | Hig | 0.57 | 8.8 | 0.01 | Aug 6, 2018 | zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. | ||
| CVE-2018-14960 | Hig | 0.57 | 8.8 | 0.01 | Aug 6, 2018 | Xiao5uCompany 1.7 has CSRF via admin/Admin.asp. | ||
| CVE-2018-14959 | Hig | 0.57 | 8.8 | 0.01 | Aug 5, 2018 | An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI. | ||
| CVE-2018-14958 | Hig | 0.57 | 8.8 | 0.01 | Aug 5, 2018 | An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php. | ||
| CVE-2018-14926 | Hig | 0.57 | 8.8 | 0.01 | Aug 3, 2018 | Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request. | ||
| CVE-2018-14910 | Hig | 0.57 | 8.8 | 0.01 | Aug 3, 2018 | SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. | ||
| CVE-2018-14908 | Hig | 0.57 | 8.8 | 0.01 | Aug 3, 2018 | Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action. | ||
| CVE-2018-0413 | Hig | 0.57 | 8.8 | 0.01 | Aug 1, 2018 | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to… | ||
| CVE-2018-14583 | Hig | 0.57 | 8.8 | 0.00 | Jul 24, 2018 | xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account. | ||
| CVE-2018-14582 | Hig | 0.57 | 8.8 | 0.01 | Jul 24, 2018 | index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account. | ||
| CVE-2017-3187 | Hig | 0.57 | 8.8 | 0.01 | Jul 24, 2018 | The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user,… | ||
| CVE-2018-14421 | Hig | 0.57 | 8.8 | 0.01 | Jul 20, 2018 | SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF. | ||
| CVE-2018-14420 | Hig | 0.57 | 8.8 | 0.01 | Jul 20, 2018 | MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI. | ||
| CVE-2018-0402 | Hig | 0.57 | 8.8 | 0.01 | Jul 18, 2018 | Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921. | ||
| CVE-2018-14331 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2018 | An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my. |
- risk 0.57cvss 8.8epss 0.01
In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
- risk 0.57cvss 8.8epss 0.00
Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF.
- risk 0.57cvss 8.8epss 0.01
zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.
- risk 0.57cvss 8.8epss 0.01
Xiao5uCompany 1.7 has CSRF via admin/Admin.asp.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
- risk 0.57cvss 8.8epss 0.01
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.
- risk 0.57cvss 8.8epss 0.01
SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.
- risk 0.57cvss 8.8epss 0.01
Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action.
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to…
- risk 0.57cvss 8.8epss 0.00
xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.
- risk 0.57cvss 8.8epss 0.01
index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account.
- risk 0.57cvss 8.8epss 0.01
The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user,…
- risk 0.57cvss 8.8epss 0.01
SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.
- risk 0.57cvss 8.8epss 0.01
MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.
- risk 0.57cvss 8.8epss 0.01
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.