VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 244 of 286
  • CVE-2018-1000843HigDec 20, 2018
    risk 0.00cvss 8.8epss 0.01

    Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API endpoint: /api/ that can result in Task metadata such as task name, id,…

  • CVE-2018-16854MedNov 26, 2018
    risk 0.00cvss 6.5epss 0.02

    A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

  • CVE-2018-17104HigSep 16, 2018
    risk 0.00cvss 8.8epss 0.01

    An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.

  • CVE-2018-11092MedMay 21, 2018
    risk 0.00cvss 6.5epss 0.01

    An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.

  • CVE-2018-1000053HigFeb 9, 2018
    risk 0.00cvss 8.8epss 0.01

    LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple…

  • CVE-2018-6656MedFeb 6, 2018
    risk 0.00cvss 6.5epss 0.01

    Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.

  • CVE-2015-8563Dec 16, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2015-6378Dec 14, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability on Cisco DPQ3925 devices with EDVA 5.5.2 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv05943.

  • CVE-2015-6405Dec 13, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Cisco Emergency Responder 10.5(1) and 10.5(1a) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv26501.

  • CVE-2015-6408Dec 12, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connection 11.5(0.98) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux24578.

  • CVE-2015-8131Dec 7, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2015-5318Nov 25, 2015
    risk 0.00cvss epss 0.01

    Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

  • CVE-2015-5451Nov 23, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in HP Operations Orchestration Central 10.x before 10.22.001 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2015-7291Nov 21, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in adv_pwd_cgi in the web management interface on Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 allows remote attackers to hijack the authentication of arbitrary users.

  • CVE-2015-6376Nov 21, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence Video Communication Server (VCS) X8.5.1 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv72412.

  • CVE-2015-6373Nov 18, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux10611.

  • CVE-2015-6330Nov 18, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Cisco Prime Collaboration Assurance 10.5(1) and 10.6 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus62712.

  • CVE-2015-5731Nov 9, 2015
    risk 0.00cvss epss 0.04

    Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock…

  • CVE-2015-1997Nov 8, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar Vulnerability Manager 7.2.x before 7.2.5 Patch 5 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

  • CVE-2015-3967Oct 28, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability on Janitza UMG 508, 509, 511, 604, and 605 devices allows remote attackers to hijack the authentication of arbitrary users.