VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 26 of 286
  • CVE-2018-11405HigMay 24, 2018
    risk 0.57cvss 8.8epss 0.01

    Kliqqi 2.0.2 has CSRF in admin/admin_users.php.

  • CVE-2018-11371HigMay 22, 2018
    risk 0.57cvss 8.8epss 0.01

    SkyCaiji 1.2 allows CSRF to add an Administrator user.

  • CVE-2018-1434HigMay 17, 2018
    risk 0.57cvss 8.8epss 0.01

    IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute…

  • CVE-2018-0270HigMay 17, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and alter the data of existing users and groups on an affected device. The…

  • CVE-2018-11126HigMay 15, 2018
    risk 0.57cvss 8.8epss 0.01

    dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account.

  • CVE-2017-12126HigMay 14, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.

  • CVE-2018-11018HigMay 13, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html.

  • CVE-2018-11004HigMay 12, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.

  • CVE-2018-10957HigMay 10, 2018
    risk 0.57cvss 8.8epss 0.01

    CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components.

  • CVE-2018-10166HigMay 3, 2018
    risk 0.57cvss 8.8epss 0.01

    The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled…

  • CVE-2013-0185HigMay 1, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.

  • CVE-2018-10503HigApr 27, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser.

  • CVE-2018-1479HigApr 27, 2018
    risk 0.57cvss 8.8epss 0.01

    IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 140761.

  • CVE-2018-10233HigApr 23, 2018
    risk 0.57cvss 8.8epss 0.01

    The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.

  • CVE-2018-10295HigApr 22, 2018
    risk 0.57cvss 8.8epss 0.01

    ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.

  • CVE-2018-10267HigApr 22, 2018
    risk 0.57cvss 8.8epss 0.01

    WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI.

  • CVE-2018-10266HigApr 22, 2018
    risk 0.57cvss 8.8epss 0.01

    BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user URI.

  • CVE-2018-10265HigApr 22, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI.

  • CVE-2018-10249HigApr 20, 2018
    risk 0.57cvss 8.8epss 0.01

    baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name=manager&do=user to add an administrator account.

  • CVE-2018-0259HigApr 19, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco MATE Collector could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF…