VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 31 of 286
  • CVE-2017-1672HigJan 4, 2018
    risk 0.57cvss 8.8epss 0.01

    IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133639.

  • CVE-2017-17990HigDec 30, 2017
    risk 0.57cvss 8.8epss 0.01

    Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.

  • CVE-2017-17960HigDec 28, 2017
    risk 0.57cvss 8.8epss 0.01

    PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.

  • CVE-2017-17939HigDec 28, 2017
    risk 0.57cvss 8.8epss 0.00

    PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php.

  • CVE-2017-17936HigDec 28, 2017
    risk 0.57cvss 8.8epss 0.00

    Vanguard Marketplace Digital Products PHP has CSRF via /search.

  • CVE-2017-17930HigDec 27, 2017
    risk 0.57cvss 8.8epss 0.01

    PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.

  • CVE-2017-17908HigDec 27, 2017
    risk 0.57cvss 8.8epss 0.00

    PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general.

  • CVE-2017-17905HigDec 27, 2017
    risk 0.57cvss 8.8epss 0.01

    PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php.

  • CVE-2017-17903HigDec 27, 2017
    risk 0.57cvss 8.8epss 0.00

    FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel.

  • CVE-2017-17894HigDec 27, 2017
    risk 0.57cvss 8.8epss 0.01

    Readymade Job Site Script has CSRF via the /job URI.

  • CVE-2017-17891HigDec 27, 2017
    risk 0.57cvss 8.8epss 0.01

    Readymade Video Sharing Script has CSRF via user-profile-edit.php.

  • CVE-2017-17827HigDec 21, 2017
    risk 0.57cvss 8.8epss 0.01

    Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.

  • CVE-2017-1746HigDec 20, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 135519.

  • CVE-2017-1631HigDec 20, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133140.

  • CVE-2017-17774HigDec 20, 2017
    risk 0.57cvss 8.8epss 0.01

    admin/configuration.php in Piwigo 2.9.2 has CSRF.

  • CVE-2017-14092HigDec 16, 2017
    risk 0.57cvss 8.8epss 0.01

    The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 12.0 web interface forms could allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain.

  • CVE-2017-17056HigDec 4, 2017
    risk 0.57cvss 8.8epss 0.01

    The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the…

  • CVE-2016-10701HigNov 28, 2017
    risk 0.57cvss 8.8epss 0.01

    In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.

  • CVE-2017-8138HigNov 22, 2017
    risk 0.57cvss 8.8epss 0.00

    HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and interrupt normal services.

  • CVE-2017-15516HigNov 16, 2017
    risk 0.57cvss 8.8epss 0.01

    NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface.