CWE-352
Cross-Site Request Forgery (CSRF)
CompoundStableLikelihood: Medium
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (4,552)
page 3 of 228| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-52401 | Cri | 0.62 | 9.6 | 0.00 | Nov 19, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog DownloadManager hacklog-downloadmanager allows Upload a Web Shell to a Web Server.This issue affects Hacklog DownloadManager: from n/a through <= 2.1.4. | |
| CVE-2024-49674 | Cri | 0.62 | 9.6 | 0.00 | Oct 31, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in lukashuser EKC Tournament Manager ekc-tournament-manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through <= 2.2.1. | |
| CVE-2024-7568 | Cri | 0.62 | 9.6 | 0.00 | Aug 24, 2024 | The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to this plugin. CVE-2024-7864 appears to be a duplicate of this issue. | |
| CVE-2024-33913 | Cri | 0.62 | 9.6 | 0.00 | May 2, 2024 | Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload in Xserver Migrator.This issue affects Xserver Migrator: from n/a through 1.6.1. | |
| CVE-2024-30560 | Cri | 0.62 | 9.6 | 0.00 | Apr 25, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in 大侠WP DX-Watermark.This issue affects DX-Watermark: from n/a through 1.0.4. | |
| CVE-2023-52200 | Cri | 0.62 | 9.6 | 0.00 | Jan 8, 2024 | Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup: n/a. | |
| CVE-2023-51545 | Cri | 0.62 | 9.6 | 0.00 | Dec 29, 2023 | Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in ThemeHigh Job Manager & Career – Manage job board listings, and recruitments.This issue affects Job Manager & Career – Manage job board listings, and recruitments: from n/a through 1.4.4. | |
| CVE-2025-27851 | Cri | 0.60 | 9.3 | 0.00 | May 13, 2026 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker. | |
| CVE-2025-30528 | Cri | 0.60 | 9.3 | 0.00 | Mar 24, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in wpshopee Awesome Logos awesome-logos allows SQL Injection.This issue affects Awesome Logos: from n/a through <= 1.2. | |
| CVE-2024-56901 | Hig | 0.60 | 8.8 | 0.01 | Feb 3, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack. | |
| CVE-2024-27448 | Cri | 0.60 | 9.1 | 0.13 | Apr 5, 2024 | MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file. | |
| CVE-2017-5264 | Hig | 0.60 | 8.8 | 0.00 | Dec 14, 2017 | Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack. | |
| CVE-2017-7851 | Hig | 0.60 | 8.8 | 0.00 | Nov 15, 2017 | D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header. | |
| CVE-2017-16570 | Hig | 0.60 | 8.8 | 0.00 | Nov 6, 2017 | KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header. | |
| CVE-2015-2878 | Hig | 0.60 | 8.8 | 0.00 | Oct 23, 2017 | Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist. | |
| CVE-2017-15808 | Hig | 0.60 | 8.8 | 0.00 | Oct 23, 2017 | In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. | |
| CVE-2017-15735 | Hig | 0.60 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. | |
| CVE-2017-15734 | Hig | 0.60 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. | |
| CVE-2017-15730 | Hig | 0.60 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. | |
| CVE-2017-15645 | Hig | 0.60 | 8.8 | 0.01 | Oct 19, 2017 | CSRF exists in Webmin 1.850. By sending a GET request to at/create_job.cgi containing dir=/&cmd= in the URI, an attacker to execute arbitrary commands. |