VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 23 of 286
  • CVE-2013-7464HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.

  • CVE-2018-7060HigAug 6, 2018
    risk 0.57cvss 8.8epss 0.00

    Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.

  • CVE-2018-14978HigAug 6, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI.

  • CVE-2018-14966HigAug 6, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF.

  • CVE-2018-14965HigAug 6, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF.

  • CVE-2018-14963HigAug 6, 2018
    risk 0.57cvss 8.8epss 0.01

    zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.

  • CVE-2018-14960HigAug 6, 2018
    risk 0.57cvss 8.8epss 0.01

    Xiao5uCompany 1.7 has CSRF via admin/Admin.asp.

  • CVE-2018-14959HigAug 5, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.

  • CVE-2018-14958HigAug 5, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.

  • CVE-2018-14926HigAug 3, 2018
    risk 0.57cvss 8.8epss 0.01

    Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.

  • CVE-2018-14910HigAug 3, 2018
    risk 0.57cvss 8.8epss 0.01

    SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.

  • CVE-2018-14908HigAug 3, 2018
    risk 0.57cvss 8.8epss 0.01

    Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action.

  • CVE-2018-0413HigAug 1, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to…

  • CVE-2018-14583HigJul 24, 2018
    risk 0.57cvss 8.8epss 0.00

    xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.

  • CVE-2018-14582HigJul 24, 2018
    risk 0.57cvss 8.8epss 0.01

    index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account.

  • CVE-2017-3187HigJul 24, 2018
    risk 0.57cvss 8.8epss 0.01

    The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user,…

  • CVE-2018-14421HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.01

    SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.

  • CVE-2018-14420HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.01

    MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.

  • CVE-2018-0402HigJul 18, 2018
    risk 0.57cvss 8.8epss 0.01

    Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921.

  • CVE-2018-14331HigJul 17, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.