CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 32 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11876 | Hig | 0.57 | 8.8 | 0.02 | Nov 15, 2017 | Microsoft Project Server and Microsoft SharePoint Enterprise Server 2016 allow an attacker to use cross-site forgery to read content that they are not authorized to read, use the victim's identity to take actions on the web application on behalf of the victim, such as change… | ||
| CVE-2017-16565 | Hig | 0.57 | 8.8 | 0.00 | Nov 6, 2017 | Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests. | ||
| CVE-2017-1300 | Hig | 0.57 | 8.8 | 0.01 | Nov 1, 2017 | IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 125162. | ||
| CVE-2017-1000244 | Hig | 0.57 | 8.8 | 0.01 | Nov 1, 2017 | Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification | ||
| CVE-2012-4568 | Hig | 0.57 | 8.8 | 0.01 | Oct 23, 2017 | Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | ||
| CVE-2017-15733 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php. | ||
| CVE-2017-15732 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php. | ||
| CVE-2017-15731 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php. | ||
| CVE-2017-15729 | Hig | 0.57 | 8.8 | 0.01 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary. | ||
| CVE-2017-12271 | Hig | 0.57 | 8.8 | 0.01 | Oct 19, 2017 | A vulnerability in Cisco SPA300 and SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this… | ||
| CVE-2017-14011 | Hig | 0.57 | 8.8 | 0.01 | Oct 17, 2017 | A Cross-Site Request Forgery issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting… | ||
| CVE-2017-15296 | Hig | 0.57 | 8.8 | 0.01 | Oct 16, 2017 | The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964. | ||
| CVE-2017-1000093 | Hig | 0.57 | 8.8 | 0.01 | Oct 5, 2017 | Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a… | ||
| CVE-2017-1000090 | Hig | 0.57 | 8.8 | 0.01 | Oct 5, 2017 | Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing… | ||
| CVE-2016-6806 | Hig | 0.57 | 8.8 | 0.01 | Oct 3, 2017 | Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was… | ||
| CVE-2015-9233 | Hig | 0.57 | 8.8 | 0.01 | Sep 30, 2017 | The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php. | ||
| CVE-2017-7969 | Hig | 0.57 | 8.8 | 0.01 | Sep 26, 2017 | A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type… | ||
| CVE-2015-5182 | Hig | 0.57 | 8.8 | 0.01 | Sep 25, 2017 | Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ. | ||
| CVE-2015-0276 | Hig | 0.57 | 8.8 | 0.01 | Sep 21, 2017 | Cross-site request forgery (CSRF) vulnerability in Kallithea before 0.2. | ||
| CVE-2017-12253 | Hig | 0.57 | 8.8 | 0.01 | Sep 21, 2017 | A vulnerability in the Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the… |
- risk 0.57cvss 8.8epss 0.02
Microsoft Project Server and Microsoft SharePoint Enterprise Server 2016 allow an attacker to use cross-site forgery to read content that they are not authorized to read, use the victim's identity to take actions on the web application on behalf of the victim, such as change…
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.
- risk 0.57cvss 8.8epss 0.01
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 125162.
- risk 0.57cvss 8.8epss 0.01
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification
- risk 0.57cvss 8.8epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php.
- risk 0.57cvss 8.8epss 0.01
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary.
- risk 0.57cvss 8.8epss 0.01
A vulnerability in Cisco SPA300 and SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this…
- risk 0.57cvss 8.8epss 0.01
A Cross-Site Request Forgery issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting…
- risk 0.57cvss 8.8epss 0.01
The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964.
- risk 0.57cvss 8.8epss 0.01
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a…
- risk 0.57cvss 8.8epss 0.01
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing…
- risk 0.57cvss 8.8epss 0.01
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was…
- risk 0.57cvss 8.8epss 0.01
The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.
- risk 0.57cvss 8.8epss 0.01
A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type…
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in Kallithea before 0.2.
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the…