CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 31 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-1672 | Hig | 0.57 | 8.8 | 0.01 | Jan 4, 2018 | IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133639. | ||
| CVE-2017-17990 | Hig | 0.57 | 8.8 | 0.01 | Dec 30, 2017 | Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action. | ||
| CVE-2017-17960 | Hig | 0.57 | 8.8 | 0.01 | Dec 28, 2017 | PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php. | ||
| CVE-2017-17939 | Hig | 0.57 | 8.8 | 0.00 | Dec 28, 2017 | PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php. | ||
| CVE-2017-17936 | Hig | 0.57 | 8.8 | 0.00 | Dec 28, 2017 | Vanguard Marketplace Digital Products PHP has CSRF via /search. | ||
| CVE-2017-17930 | Hig | 0.57 | 8.8 | 0.01 | Dec 27, 2017 | PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel. | ||
| CVE-2017-17908 | Hig | 0.57 | 8.8 | 0.00 | Dec 27, 2017 | PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general. | ||
| CVE-2017-17905 | Hig | 0.57 | 8.8 | 0.01 | Dec 27, 2017 | PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php. | ||
| CVE-2017-17903 | Hig | 0.57 | 8.8 | 0.00 | Dec 27, 2017 | FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel. | ||
| CVE-2017-17894 | Hig | 0.57 | 8.8 | 0.01 | Dec 27, 2017 | Readymade Job Site Script has CSRF via the /job URI. | ||
| CVE-2017-17891 | Hig | 0.57 | 8.8 | 0.01 | Dec 27, 2017 | Readymade Video Sharing Script has CSRF via user-profile-edit.php. | ||
| CVE-2017-17827 | Hig | 0.57 | 8.8 | 0.01 | Dec 21, 2017 | Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions. | ||
| CVE-2017-1746 | Hig | 0.57 | 8.8 | 0.01 | Dec 20, 2017 | IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 135519. | ||
| CVE-2017-1631 | Hig | 0.57 | 8.8 | 0.01 | Dec 20, 2017 | IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133140. | ||
| CVE-2017-17774 | Hig | 0.57 | 8.8 | 0.01 | Dec 20, 2017 | admin/configuration.php in Piwigo 2.9.2 has CSRF. | ||
| CVE-2017-14092 | Hig | 0.57 | 8.8 | 0.01 | Dec 16, 2017 | The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 12.0 web interface forms could allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. | ||
| CVE-2017-17056 | Hig | 0.57 | 8.8 | 0.01 | Dec 4, 2017 | The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the… | ||
| CVE-2016-10701 | Hig | 0.57 | 8.8 | 0.01 | Nov 28, 2017 | In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application. | ||
| CVE-2017-8138 | Hig | 0.57 | 8.8 | 0.00 | Nov 22, 2017 | HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and interrupt normal services. | ||
| CVE-2017-15516 | Hig | 0.57 | 8.8 | 0.01 | Nov 16, 2017 | NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface. |
- risk 0.57cvss 8.8epss 0.01
IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133639.
- risk 0.57cvss 8.8epss 0.01
Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.
- risk 0.57cvss 8.8epss 0.01
PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.
- risk 0.57cvss 8.8epss 0.00
PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php.
- risk 0.57cvss 8.8epss 0.00
Vanguard Marketplace Digital Products PHP has CSRF via /search.
- risk 0.57cvss 8.8epss 0.01
PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.
- risk 0.57cvss 8.8epss 0.00
PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general.
- risk 0.57cvss 8.8epss 0.01
PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php.
- risk 0.57cvss 8.8epss 0.00
FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel.
- risk 0.57cvss 8.8epss 0.01
Readymade Job Site Script has CSRF via the /job URI.
- risk 0.57cvss 8.8epss 0.01
Readymade Video Sharing Script has CSRF via user-profile-edit.php.
- risk 0.57cvss 8.8epss 0.01
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
- risk 0.57cvss 8.8epss 0.01
IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 135519.
- risk 0.57cvss 8.8epss 0.01
IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133140.
- risk 0.57cvss 8.8epss 0.01
admin/configuration.php in Piwigo 2.9.2 has CSRF.
- risk 0.57cvss 8.8epss 0.01
The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 12.0 web interface forms could allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain.
- risk 0.57cvss 8.8epss 0.01
The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the…
- risk 0.57cvss 8.8epss 0.01
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
- risk 0.57cvss 8.8epss 0.00
HedEx Earlier than V200R006C00 versions has a cross-site request forgery (CSRF) vulnerability. An attacker could trick a user into accessing a website containing malicious scripts which may tamper with configurations and interrupt normal services.
- risk 0.57cvss 8.8epss 0.01
NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface.