VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 28 of 286
  • CVE-2018-8893HigMar 31, 2018
    risk 0.57cvss 8.8epss 0.00

    Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.

  • CVE-2018-9134HigMar 30, 2018
    risk 0.57cvss 8.8epss 0.01

    file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters.

  • CVE-2015-2009HigMar 29, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi service in IBM QRadar SIEM 7.1 before MR2 Patch 11 Interim Fix 02 and 7.2.x before 7.2.5 Patch 4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences via…

  • CVE-2018-9108HigMar 28, 2018
    risk 0.57cvss 8.8epss 0.01

    CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges.

  • CVE-2018-8764HigMar 27, 2018
    risk 0.57cvss 8.8epss 0.01

    Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging.

  • CVE-2018-8972HigMar 24, 2018
    risk 0.57cvss 8.8epss 0.01

    Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters.

  • CVE-2018-1000137HigMar 23, 2018
    risk 0.57cvss 8.8epss 0.01

    I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge.

  • CVE-2018-7524HigMar 22, 2018
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an unauthorized user to be added to the system.

  • CVE-2018-1230HigMar 21, 2018
    risk 0.57cvss 8.8epss 0.01

    Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection. A remote unauthenticated user could craft a malicious site that executes requests to Spring Batch Admin. This issue has not been patched because Spring Batch Admin has reached end…

  • CVE-2014-1457HigMar 20, 2018
    risk 0.57cvss 8.8epss 0.01

    Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name.

  • CVE-2014-2550HigMar 19, 2018
    risk 0.57cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in the Disable Comments plugin before 1.0.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that enable comments via a request to the disable_comments_settings page to…

  • CVE-2014-2274HigMar 19, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Subscribe To Comments Reloaded plugin before 140219 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via a request to the…

  • CVE-2018-8717HigMar 15, 2018
    risk 0.57cvss 8.8epss 0.01

    joyplus-cms 1.6.0 has CSRF, as demonstrated by adding an administrator account via a manager/admin_ajax.php?action=save&tab={pre}manager request.

  • CVE-2018-1000093HigMar 13, 2018
    risk 0.57cvss 8.8epss 0.02

    CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the…

  • CVE-2018-1000092HigMar 13, 2018
    risk 0.57cvss 8.8epss 0.00

    CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page.…

  • CVE-2018-1000082HigMar 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is…

  • CVE-2017-7641HigMar 8, 2018
    risk 0.57cvss 8.8epss 0.00

    QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utilize CSRF protections.

  • CVE-2018-0210HigMar 8, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to…

  • CVE-2018-7565HigMar 7, 2018
    risk 0.57cvss 8.8epss 0.00

    CSRF exists on Polycom QDX 6000 devices.

  • CVE-2018-7720HigMar 7, 2018
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability exists in Western Bridge Cobub Razor 0.7.2 via /index.php?/user/createNewUser/, resulting in account creation.