VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 260 of 286
  • CVE-2014-3455May 12, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote…

  • CVE-2014-3454May 12, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requests that create categories…

  • CVE-2014-0944May 9, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26 allows remote authenticated users to hijack the authentication of arbitrary users for…

  • CVE-2014-3115May 8, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors.

  • CVE-2014-2190May 7, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco Broadcast Access Center for Telco and Wireless (aka BAC-TW) allows remote attackers to hijack the authentication of arbitrary users for requests that make BAC-TW changes, aka Bug IDs CSCuo23804 and…

  • CVE-2014-2916May 5, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a request to admin/.

  • CVE-2014-2186Apr 30, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj81777.

  • CVE-2013-7259Apr 29, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1) db/data/ext/GremlinPlugin/graphdb/execute_script or (2)…

  • CVE-2013-4726Apr 25, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions, allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2014-2327Apr 23, 2014
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary…

  • CVE-2014-2659Apr 22, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the admin UI in Papercut MF and NG before 14.1 (Build 26983) allows remote attackers to hijack the authentication of administrators via unspecified vectors.

  • CVE-2014-1615Apr 22, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Carbon Black before 4.1.0 allow remote attackers to hijack the authentication of administrators for requests that add new administrative users and have other unspecified action, as demonstrated by a request to…

  • CVE-2014-0054Apr 17, 2014
    risk 0.00cvss epss 0.91

    The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML,…

  • CVE-2013-2708Apr 11, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Content Slide plugin 1.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.

  • CVE-2013-2706Apr 11, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.

  • CVE-2013-3252Apr 10, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the options admin page in the WP-PostViews plugin before 1.63 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.

  • CVE-2013-3251Apr 10, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the qTranslate plugin 2.5.34 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.

  • CVE-2013-2699Apr 10, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the underConstruction plugin before 1.09 for WordPress allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin via unspecified vectors.

  • CVE-2013-2693Apr 10, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Options in the WP-Print plugin before 2.52 for WordPress allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings via unspecified vectors.

  • CVE-2012-4921Apr 10, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the DVS Custom Notification plugin 1.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change application settings or (2) conduct cross-site…