CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 30 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-18042 | Hig | 0.57 | 8.8 | 0.01 | Feb 2, 2018 | The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. | ||
| CVE-2014-9502 | Hig | 0.57 | 8.8 | 0.01 | Feb 1, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks. | ||
| CVE-2018-0509 | Hig | 0.57 | 8.8 | 0.01 | Feb 1, 2018 | Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | ||
| CVE-2018-6408 | Hig | 0.57 | 8.8 | 0.01 | Jan 30, 2018 | An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account. | ||
| CVE-2018-6391 | Hig | 0.57 | 8.8 | 0.01 | Jan 29, 2018 | A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings. | ||
| CVE-2017-4951 | Hig | 0.57 | 8.8 | 0.01 | Jan 29, 2018 | VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices. | ||
| CVE-2018-6357 | Hig | 0.57 | 8.8 | 0.01 | Jan 27, 2018 | The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS. | ||
| CVE-2017-1769 | Hig | 0.57 | 8.8 | 0.01 | Jan 24, 2018 | IBM Business Process Manager 8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 136783. | ||
| CVE-2018-1000014 | — | Hig | 0.57 | 8.8 | 0.01 | Jan 23, 2018 | Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins… | |
| CVE-2018-1000013 | — | Hig | 0.57 | 8.8 | 0.01 | Jan 23, 2018 | Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. | |
| CVE-2018-0107 | Hig | 0.57 | 8.8 | 0.01 | Jan 18, 2018 | A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit… | ||
| CVE-2018-5329 | Hig | 0.57 | 8.8 | 0.01 | Jan 15, 2018 | ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative… | ||
| CVE-2018-5673 | Hig | 0.57 | 8.8 | 0.01 | Jan 13, 2018 | An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php. | ||
| CVE-2018-5669 | Hig | 0.57 | 8.8 | 0.01 | Jan 13, 2018 | An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php. | ||
| CVE-2018-5658 | Hig | 0.57 | 8.8 | 0.01 | Jan 13, 2018 | An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php. | ||
| CVE-2018-5656 | Hig | 0.57 | 8.8 | 0.01 | Jan 13, 2018 | An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php. | ||
| CVE-2016-0335 | Hig | 0.57 | 8.8 | 0.01 | Jan 12, 2018 | Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown… | ||
| CVE-2018-5368 | Hig | 0.57 | 8.8 | 0.01 | Jan 12, 2018 | The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtranslatoptions action to wp-admin/options-general.php. | ||
| CVE-2018-5361 | — | Hig | 0.57 | 8.8 | 0.01 | Jan 12, 2018 | The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php. | |
| CVE-2018-5285 | Hig | 0.57 | 8.8 | 0.01 | Jan 8, 2018 | The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/options-general.php. |
- risk 0.57cvss 8.8epss 0.01
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
- risk 0.57cvss 8.8epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.
- risk 0.57cvss 8.8epss 0.01
A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.
- risk 0.57cvss 8.8epss 0.01
VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices.
- risk 0.57cvss 8.8epss 0.01
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
- risk 0.57cvss 8.8epss 0.01
IBM Business Process Manager 8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 136783.
- risk 0.57cvss 8.8epss 0.01
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins…
- risk 0.57cvss 8.8epss 0.01
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit…
- risk 0.57cvss 8.8epss 0.01
ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown…
- risk 0.57cvss 8.8epss 0.01
The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtranslatoptions action to wp-admin/options-general.php.
- risk 0.57cvss 8.8epss 0.01
The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php.
- risk 0.57cvss 8.8epss 0.01
The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/options-general.php.