CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 27 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-0255 | Hig | 0.57 | 8.8 | 0.01 | Apr 19, 2018 | A vulnerability in the device manager web interface of Cisco Industrial Ethernet Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to insufficient CSRF… | ||
| CVE-2018-10222 | Hig | 0.57 | 8.8 | 0.01 | Apr 19, 2018 | An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP. | ||
| CVE-2018-10185 | Hig | 0.57 | 8.8 | 0.01 | Apr 17, 2018 | An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call. | ||
| CVE-2018-10137 | Hig | 0.57 | 8.8 | 0.01 | Apr 16, 2018 | iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI. | ||
| CVE-2018-10132 | Hig | 0.57 | 8.8 | 0.01 | Apr 16, 2018 | PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter. | ||
| CVE-2018-10127 | Hig | 0.57 | 8.8 | 0.00 | Apr 16, 2018 | An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role. | ||
| CVE-2018-10117 | Hig | 0.57 | 8.8 | 0.01 | Apr 16, 2018 | An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP. | ||
| CVE-2017-0362 | Hig | 0.57 | 8.8 | 0.01 | Apr 13, 2018 | Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | ||
| CVE-2018-6934 | Hig | 0.57 | 8.8 | 0.00 | Apr 12, 2018 | CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3. | ||
| CVE-2015-0151 | Hig | 0.57 | 8.8 | 0.01 | Apr 12, 2018 | Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | ||
| CVE-2018-10048 | Hig | 0.57 | 8.8 | 0.01 | Apr 11, 2018 | iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel. | ||
| CVE-2018-10031 | Hig | 0.57 | 8.8 | 0.00 | Apr 11, 2018 | CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php. | ||
| CVE-2018-10030 | Hig | 0.57 | 8.8 | 0.00 | Apr 11, 2018 | CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. | ||
| CVE-2018-9927 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2018 | An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. | ||
| CVE-2018-9923 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2018 | An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. | ||
| CVE-2014-5072 | Hig | 0.57 | 8.8 | 0.01 | Apr 6, 2018 | Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | ||
| CVE-2014-5034 | Hig | 0.57 | 8.8 | 0.01 | Apr 6, 2018 | Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection… | ||
| CVE-2018-1000153 | — | Hig | 0.57 | 8.8 | 0.01 | Apr 5, 2018 | A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java,… | |
| CVE-2018-6874 | — | Hig | 0.57 | 8.8 | 0.01 | Apr 4, 2018 | CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled. | |
| CVE-2017-3965 | Hig | 0.57 | 8.8 | 0.01 | Apr 4, 2018 | Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrieving internal system information or manipulating the… |
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the device manager web interface of Cisco Industrial Ethernet Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to insufficient CSRF…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call.
- risk 0.57cvss 8.8epss 0.01
iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI.
- risk 0.57cvss 8.8epss 0.01
PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.
- risk 0.57cvss 8.8epss 0.01
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
- risk 0.57cvss 8.8epss 0.00
CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
- risk 0.57cvss 8.8epss 0.01
iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel.
- risk 0.57cvss 8.8epss 0.00
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
- risk 0.57cvss 8.8epss 0.00
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection…
- risk 0.57cvss 8.8epss 0.01
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java,…
- risk 0.57cvss 8.8epss 0.01
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
- risk 0.57cvss 8.8epss 0.01
Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrieving internal system information or manipulating the…