CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 268 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-5450 | 0.00 | — | 0.01 | Dec 3, 2012 | Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter. | |||
| CVE-2012-4478 | 0.00 | — | 0.01 | Nov 30, 2012 | Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators. | |||
| CVE-2010-5283 | 0.00 | — | 0.01 | Nov 26, 2012 | Cross-site request forgery (CSRF) vulnerability in OpenText ECM (formerly Livelink ECM) 9.7.1 allows remote attackers to hijack the authentication of administrators for requests that change folder and resource permissions. | |||
| CVE-2011-2908 | 0.00 | — | 0.02 | Nov 23, 2012 | Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users… | |||
| CVE-2012-4205 | 0.00 | — | 0.02 | Nov 21, 2012 | Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or… | |||
| CVE-2012-4943 | 0.00 | — | 0.01 | Nov 18, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in Agile FleetCommander and FleetCommander Kiosk before 4.08 allow remote attackers to hijack the authentication of arbitrary users for requests that modify (1) passwords, (2) accounts, or (3) permissions. | |||
| CVE-2012-4935 | 0.00 | — | 0.01 | Nov 18, 2012 | Cross-site request forgery (CSRF) vulnerability in the web interface in Pattern Insight 2.3 allows remote attackers to hijack the authentication of arbitrary users. | |||
| CVE-2012-4853 | 0.00 | — | 0.01 | Nov 14, 2012 | Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Application Server 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger information… | |||
| CVE-2012-4732 | 0.00 | — | 0.01 | Nov 11, 2012 | Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the authentication of users for requests that toggle ticket bookmarks. | |||
| CVE-2012-4486 | 0.00 | — | 0.01 | Nov 2, 2012 | Cross-site request forgery (CSRF) vulnerability in the Subuser module before 6.x-1.8 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser via unspecified vectors. | |||
| CVE-2011-5226 | 0.00 | — | 0.01 | Oct 25, 2012 | Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to hijack the authentication of an administrator for requests that trigger snapshots. | |||
| CVE-2012-4002 | 0.00 | — | 0.01 | Oct 9, 2012 | Cross-site request forgery (CSRF) vulnerability in GLPI-PROJECT GLPI before 0.83.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||
| CVE-2012-5308 | 0.00 | — | 0.01 | Oct 8, 2012 | Cross-site request forgery (CSRF) vulnerability in servlet/traveler in IBM Lotus Notes Traveler through 8.5.3.3 Interim Fix 1 allows remote attackers to hijack the authentication of arbitrary users for requests that create problem reports via a getReportProblem upload action. | |||
| CVE-2012-2999 | 0.00 | — | 0.01 | Oct 4, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user account or (2) reconfigure the state of the FTP service,… | |||
| CVE-2012-1636 | 0.00 | — | 0.01 | Oct 1, 2012 | Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors. | |||
| CVE-2012-1897 | 0.00 | — | 0.01 | Oct 1, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS 0.75 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via the user id number to admin/user/delete; (2) delete pages via the page id number… | |||
| CVE-2012-0748 | 0.00 | — | 0.01 | Oct 1, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified services in IBM Rational Team Concert (RTC) 4.x before 4.0.0.1 allow remote attackers to hijack the authentication of arbitrary users for requests that modify work items. | |||
| CVE-2012-4448 | 0.00 | — | 0.01 | Sep 28, 2012 | Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. | |||
| CVE-2012-2734 | 0.00 | — | 0.01 | Sep 28, 2012 | Multiple cross-site request forgery (CSRF) vulnerabilities in Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, allow remote attackers to hijack the authentication of arbitrary users for requests that execute commands via unspecified… | |||
| CVE-2012-1631 | 0.00 | — | 0.01 | Sep 20, 2012 | Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors. |
- CVE-2012-5450Dec 3, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.
- CVE-2012-4478Nov 30, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators.
- CVE-2010-5283Nov 26, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in OpenText ECM (formerly Livelink ECM) 9.7.1 allows remote attackers to hijack the authentication of administrators for requests that change folder and resource permissions.
- CVE-2011-2908Nov 23, 2012risk 0.00cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users…
- CVE-2012-4205Nov 21, 2012risk 0.00cvss —epss 0.02
Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or…
- CVE-2012-4943Nov 18, 2012risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in Agile FleetCommander and FleetCommander Kiosk before 4.08 allow remote attackers to hijack the authentication of arbitrary users for requests that modify (1) passwords, (2) accounts, or (3) permissions.
- CVE-2012-4935Nov 18, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the web interface in Pattern Insight 2.3 allows remote attackers to hijack the authentication of arbitrary users.
- CVE-2012-4853Nov 14, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Application Server 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger information…
- CVE-2012-4732Nov 11, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the authentication of users for requests that toggle ticket bookmarks.
- CVE-2012-4486Nov 2, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Subuser module before 6.x-1.8 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser via unspecified vectors.
- CVE-2011-5226Oct 25, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to hijack the authentication of an administrator for requests that trigger snapshots.
- CVE-2012-4002Oct 9, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in GLPI-PROJECT GLPI before 0.83.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- CVE-2012-5308Oct 8, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in servlet/traveler in IBM Lotus Notes Traveler through 8.5.3.3 Interim Fix 1 allows remote attackers to hijack the authentication of arbitrary users for requests that create problem reports via a getReportProblem upload action.
- CVE-2012-2999Oct 4, 2012risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user account or (2) reconfigure the state of the FTP service,…
- CVE-2012-1636Oct 1, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors.
- CVE-2012-1897Oct 1, 2012risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS 0.75 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via the user id number to admin/user/delete; (2) delete pages via the page id number…
- CVE-2012-0748Oct 1, 2012risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified services in IBM Rational Team Concert (RTC) 4.x before 4.0.0.1 allow remote attackers to hijack the authentication of arbitrary users for requests that modify work items.
- CVE-2012-4448Sep 28, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
- CVE-2012-2734Sep 28, 2012risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, allow remote attackers to hijack the authentication of arbitrary users for requests that execute commands via unspecified…
- CVE-2012-1631Sep 20, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors.