VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 32 of 286
  • CVE-2017-11876HigNov 15, 2017
    risk 0.57cvss 8.8epss 0.02

    Microsoft Project Server and Microsoft SharePoint Enterprise Server 2016 allow an attacker to use cross-site forgery to read content that they are not authorized to read, use the victim's identity to take actions on the web application on behalf of the victim, such as change…

  • CVE-2017-16565HigNov 6, 2017
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandstream) HT802 devices allows attackers to authenticate a user via the login screen using the default password of 123 and submit arbitrary requests.

  • CVE-2017-1300HigNov 1, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 125162.

  • CVE-2017-1000244HigNov 1, 2017
    risk 0.57cvss 8.8epss 0.01

    Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification

  • CVE-2012-4568HigOct 23, 2017
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2017-15733HigOct 22, 2017
    risk 0.57cvss 8.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php.

  • CVE-2017-15732HigOct 22, 2017
    risk 0.57cvss 8.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php.

  • CVE-2017-15731HigOct 22, 2017
    risk 0.57cvss 8.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php.

  • CVE-2017-15729HigOct 22, 2017
    risk 0.57cvss 8.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary.

  • CVE-2017-12271HigOct 19, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco SPA300 and SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this…

  • CVE-2017-14011HigOct 17, 2017
    risk 0.57cvss 8.8epss 0.01

    A Cross-Site Request Forgery issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting…

  • CVE-2017-15296HigOct 16, 2017
    risk 0.57cvss 8.8epss 0.01

    The Java component in SAP CRM has CSRF. This is SAP Security Note 2478964.

  • CVE-2017-1000093HigOct 5, 2017
    risk 0.57cvss 8.8epss 0.01

    Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a…

  • CVE-2017-1000090HigOct 5, 2017
    risk 0.57cvss 8.8epss 0.01

    Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing…

  • CVE-2016-6806HigOct 3, 2017
    risk 0.57cvss 8.8epss 0.01

    Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was…

  • CVE-2015-9233HigSep 30, 2017
    risk 0.57cvss 8.8epss 0.01

    The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.

  • CVE-2017-7969HigSep 26, 2017
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type…

  • CVE-2015-5182HigSep 25, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ.

  • CVE-2015-0276HigSep 21, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Kallithea before 0.2.

  • CVE-2017-12253HigSep 21, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the…