VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 30 of 286
  • CVE-2017-18042HigFeb 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2014-9502HigFeb 1, 2018
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks.

  • CVE-2018-0509HigFeb 1, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in epg search result viewer (kkcald) 0.7.21 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.

  • CVE-2018-6408HigJan 30, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. CSRF exists in hy-cgi/user.cgi, as demonstrated by changing an administrator password or adding a new administrator account.

  • CVE-2018-6391HigJan 29, 2018
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery web vulnerability has been discovered on Netis WF2419 V2.2.36123 devices. A remote attacker is able to delete Address Reservation List settings.

  • CVE-2017-4951HigJan 29, 2018
    risk 0.57cvss 8.8epss 0.01

    VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices.

  • CVE-2018-6357HigJan 27, 2018
    risk 0.57cvss 8.8epss 0.01

    The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.

  • CVE-2017-1769HigJan 24, 2018
    risk 0.57cvss 8.8epss 0.01

    IBM Business Process Manager 8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 136783.

  • CVE-2018-1000014HigJan 23, 2018
    risk 0.57cvss 8.8epss 0.01

    Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins…

  • CVE-2018-1000013HigJan 23, 2018
    risk 0.57cvss 8.8epss 0.01

    Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.

  • CVE-2018-0107HigJan 18, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit…

  • CVE-2018-5329HigJan 15, 2018
    risk 0.57cvss 8.8epss 0.01

    ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative…

  • CVE-2018-5673HigJan 13, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.

  • CVE-2018-5669HigJan 13, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php.

  • CVE-2018-5658HigJan 13, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php.

  • CVE-2018-5656HigJan 13, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php.

  • CVE-2016-0335HigJan 12, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown…

  • CVE-2018-5368HigJan 12, 2018
    risk 0.57cvss 8.8epss 0.01

    The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtranslatoptions action to wp-admin/options-general.php.

  • CVE-2018-5361HigJan 12, 2018
    risk 0.57cvss 8.8epss 0.01

    The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php.

  • CVE-2018-5285HigJan 8, 2018
    risk 0.57cvss 8.8epss 0.01

    The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/options-general.php.