VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 27 of 286
  • CVE-2018-0255HigApr 19, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the device manager web interface of Cisco Industrial Ethernet Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to insufficient CSRF…

  • CVE-2018-10222HigApr 19, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP.

  • CVE-2018-10185HigApr 17, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call.

  • CVE-2018-10137HigApr 16, 2018
    risk 0.57cvss 8.8epss 0.01

    iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI.

  • CVE-2018-10132HigApr 16, 2018
    risk 0.57cvss 8.8epss 0.01

    PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter.

  • CVE-2018-10127HigApr 16, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role.

  • CVE-2018-10117HigApr 16, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.

  • CVE-2017-0362HigApr 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.

  • CVE-2018-6934HigApr 12, 2018
    risk 0.57cvss 8.8epss 0.00

    CSRF exists in student/personal-info in PHP Scripts Mall Online Tutoring Script 2.0.3.

  • CVE-2015-0151HigApr 12, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

  • CVE-2018-10048HigApr 11, 2018
    risk 0.57cvss 8.8epss 0.01

    iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel.

  • CVE-2018-10031HigApr 11, 2018
    risk 0.57cvss 8.8epss 0.00

    CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.

  • CVE-2018-10030HigApr 11, 2018
    risk 0.57cvss 8.8epss 0.00

    CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.

  • CVE-2018-9927HigApr 10, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.

  • CVE-2018-9923HigApr 10, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.

  • CVE-2014-5072HigApr 6, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2014-5034HigApr 6, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection…

  • CVE-2018-1000153HigApr 5, 2018
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java,…

  • CVE-2018-6874HigApr 4, 2018
    risk 0.57cvss 8.8epss 0.01

    CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.

  • CVE-2017-3965HigApr 4, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows remote attackers to perform unauthorized tasks such as retrieving internal system information or manipulating the…