VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 243 of 286
  • CVE-2022-43418MedOct 19, 2022
    risk 0.00cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-2986HigOct 6, 2022
    risk 0.00cvss 8.8epss 0.00

    Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

  • CVE-2022-41227HigSep 21, 2022
    risk 0.00cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials.

  • CVE-2022-34780MedJun 30, 2022
    risk 0.00cvss 6.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-21703MedFeb 8, 2022
    risk 0.00cvss 6.3epss 0.02

    Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users…

  • CVE-2021-45326HigFeb 8, 2022
    risk 0.00cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.

  • CVE-2021-21675MedJun 30, 2021
    risk 0.00cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.

  • CVE-2021-21665HigJun 10, 2021
    risk 0.00cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials…

  • CVE-2021-29624MedMay 19, 2021
    risk 0.00cvss 6.5epss 0.01

    fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform…

  • CVE-2021-21652HigMay 11, 2021
    risk 0.00cvss 7.1epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored…

  • CVE-2020-23264HigMay 6, 2021
    risk 0.00cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.

  • CVE-2021-21620MedFeb 24, 2021
    risk 0.00cvss 4.3epss 0.02

    A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.

  • CVE-2020-35217HigJan 20, 2021
    risk 0.00cvss 8.8epss 0.01

    Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker…

  • CVE-2020-23960HigJan 11, 2021
    risk 0.00cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running…

  • CVE-2020-2235MedAug 12, 2020
    risk 0.00cvss 6.5epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing…

  • CVE-2020-2116HigFeb 12, 2020
    risk 0.00cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-19013HigNov 22, 2019
    risk 0.00cvss 8.8epss 0.01

    A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request.

  • CVE-2019-14933HigAug 11, 2019
    risk 0.00cvss 8.8epss 0.01

    Bagisto 0.1.5 allows CSRF under /admin URIs.

  • CVE-2019-10326MedMay 31, 2019
    risk 0.00cvss 4.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds.

  • CVE-2019-1003007HigFeb 6, 2019
    risk 0.00cvss 8.8epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint.