VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 282 of 286
  • CVE-2008-5400Dec 10, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in mvnForum before 1.2.1 GA allow remote attackers to (1) create forums, (2) change account privileges, (3) enable accounts, or (4) disable accounts as a product administrator via unspecified vectors, possibly related to…

  • CVE-2008-5382Dec 9, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in I-O DATA DEVICE HDL-F160, HDL-F250, HDL-F300, and HDL-F320 firmware before 1.02 allows remote attackers to (1) change a configuration or (2) delete files as an authenticated user via unknown vectors. NOTE: the provenance of…

  • CVE-2008-5189Nov 21, 2008
    risk 0.00cvss epss 0.02

    CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

  • CVE-2008-5113Nov 17, 2008
    risk 0.00cvss epss 0.01

    WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user…

  • CVE-2008-5028Nov 10, 2008
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.

  • CVE-2008-4899Nov 4, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Planetluc RateMe 1.3.3 allows remote attackers to perform unauthorized actions as other users via unspecified vectors.

  • CVE-2008-3868Nov 3, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Interact 2.4.1 allows remote attackers to hijack the authentication of super administrators for requests that create super administrator accounts.

  • CVE-2008-4734Oct 24, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the wpcr_do_options_page function in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to perform unauthorized actions as administrators via a request that sets the wpcr_hidden_form_input parameter.

  • CVE-2008-4448Oct 6, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to perform unauthorized actions as an administrator, including file deletion and creation, via a link or IMG tag to the (1) overkill, (2) futils,…

  • CVE-2008-3909Sep 4, 2008
    risk 0.00cvss epss 0.01

    The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via…

  • CVE-2008-3885Sep 2, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Blogn (BURO GUN) 1.9.7 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make content modifications. NOTE: some of these details are obtained from third party information.

  • CVE-2008-3736Aug 27, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in (1) System Consultants La!Cooda WIZ 1.4.0 and earlier and (2) SpaceTag LacoodaST 2.1.3 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (a) change passwords or (b)…

  • CVE-2008-3744Aug 27, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.

  • CVE-2008-3743Aug 27, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.

  • CVE-2008-3760Aug 21, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the sign-out page in Vanilla 1.1.4 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout via a SignOutNow action to people.php.

  • CVE-2008-3759Aug 21, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in ajax/UpdateCheck.php in Vanilla 1.1.4 and earlier has unknown impact and remote attack vectors.

  • CVE-2008-3716Aug 19, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component.

  • CVE-2008-3421Jul 31, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Blackboard Academic Suite 8.0.260.7 allow remote attackers to hijack the authentication of student users for requests that change configuration and enrollments via unspecified input to (1) update_module.jsp, (2)…

  • CVE-2008-3392Jul 31, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Web Wiz Forum 9.5 allows remote attackers to log out a user via a link or IMG tag to log_off_user.asp.

  • CVE-2008-3325Jul 25, 2008
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.