CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 26 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11405 | Hig | 0.57 | 8.8 | 0.01 | May 24, 2018 | Kliqqi 2.0.2 has CSRF in admin/admin_users.php. | ||
| CVE-2018-11371 | Hig | 0.57 | 8.8 | 0.01 | May 22, 2018 | SkyCaiji 1.2 allows CSRF to add an Administrator user. | ||
| CVE-2018-1434 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2018 | IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute… | ||
| CVE-2018-0270 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2018 | A vulnerability in the web-based management interface of Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and alter the data of existing users and groups on an affected device. The… | ||
| CVE-2018-11126 | Hig | 0.57 | 8.8 | 0.01 | May 15, 2018 | dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account. | ||
| CVE-2017-12126 | Hig | 0.57 | 8.8 | 0.01 | May 14, 2018 | An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability. | ||
| CVE-2018-11018 | Hig | 0.57 | 8.8 | 0.01 | May 13, 2018 | An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html. | ||
| CVE-2018-11004 | Hig | 0.57 | 8.8 | 0.01 | May 12, 2018 | An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add. | ||
| CVE-2018-10957 | Hig | 0.57 | 8.8 | 0.01 | May 10, 2018 | CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components. | ||
| CVE-2018-10166 | Hig | 0.57 | 8.8 | 0.01 | May 3, 2018 | The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled… | ||
| CVE-2013-0185 | Hig | 0.57 | 8.8 | 0.01 | May 1, 2018 | Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. | ||
| CVE-2018-10503 | Hig | 0.57 | 8.8 | 0.01 | Apr 27, 2018 | An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser. | ||
| CVE-2018-1479 | Hig | 0.57 | 8.8 | 0.01 | Apr 27, 2018 | IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 140761. | ||
| CVE-2018-10233 | Hig | 0.57 | 8.8 | 0.01 | Apr 23, 2018 | The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin. | ||
| CVE-2018-10295 | Hig | 0.57 | 8.8 | 0.01 | Apr 22, 2018 | ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account. | ||
| CVE-2018-10267 | Hig | 0.57 | 8.8 | 0.01 | Apr 22, 2018 | WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI. | ||
| CVE-2018-10266 | Hig | 0.57 | 8.8 | 0.01 | Apr 22, 2018 | BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user URI. | ||
| CVE-2018-10265 | Hig | 0.57 | 8.8 | 0.00 | Apr 22, 2018 | An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI. | ||
| CVE-2018-10249 | Hig | 0.57 | 8.8 | 0.01 | Apr 20, 2018 | baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name=manager&do=user to add an administrator account. | ||
| CVE-2018-0259 | Hig | 0.57 | 8.8 | 0.01 | Apr 19, 2018 | A vulnerability in the web-based management interface of Cisco MATE Collector could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF… |
- risk 0.57cvss 8.8epss 0.01
Kliqqi 2.0.2 has CSRF in admin/admin_users.php.
- risk 0.57cvss 8.8epss 0.01
SkyCaiji 1.2 allows CSRF to add an Administrator user.
- risk 0.57cvss 8.8epss 0.01
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute…
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the web-based management interface of Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and alter the data of existing users and groups on an affected device. The…
- risk 0.57cvss 8.8epss 0.01
dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account.
- risk 0.57cvss 8.8epss 0.01
An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.
- risk 0.57cvss 8.8epss 0.01
CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components.
- risk 0.57cvss 8.8epss 0.01
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled…
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser.
- risk 0.57cvss 8.8epss 0.01
IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 140761.
- risk 0.57cvss 8.8epss 0.01
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.
- risk 0.57cvss 8.8epss 0.01
ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.
- risk 0.57cvss 8.8epss 0.01
WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI.
- risk 0.57cvss 8.8epss 0.01
BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user URI.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI.
- risk 0.57cvss 8.8epss 0.01
baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name=manager&do=user to add an administrator account.
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the web-based management interface of Cisco MATE Collector could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF…