VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 34 of 286
  • CVE-2017-12881HigAug 18, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability.

  • CVE-2017-12593HigAug 18, 2017
    risk 0.57cvss 8.8epss 0.00

    ASUS DSL-N10S V2.1.16_APAC devices allow CSRF.

  • CVE-2017-12589HigAug 18, 2017
    risk 0.57cvss 8.8epss 0.01

    ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices do not have any protection against a CSRF attack.

  • CVE-2017-7556HigAug 17, 2017
    risk 0.57cvss 8.8epss 0.01

    Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user.

  • CVE-2017-12853HigAug 14, 2017
    risk 0.57cvss 8.8epss 0.01

    The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affected by CSRF an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

  • CVE-2017-12651HigAug 7, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) exists in the Blacklist and Whitelist IP Wizard in init.php in the Loginizer plugin before 1.3.6 for WordPress because the HTTP Referer header is not checked.

  • CVE-2017-6756HigAug 7, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the Web UI Application of the Cisco Prime Collaboration Provisioning Tool through 12.2 could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of defense against cross-site request forgery (CSRF) attacks.…

  • CVE-2017-10677HigAug 6, 2017
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices with Firmware Version before 2.1.41.164606, as demonstrated by a request to apply.cgi to disable SIP.

  • CVE-2017-12584HigAug 6, 2017
    risk 0.57cvss 8.8epss 0.01

    There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an entire user profile (including the password) can be updated without sending the current password. This allows remote attackers to trick a user into changing to an attacker-controlled password, a complete…

  • CVE-2017-9863HigAug 5, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in SMA Solar Technology products. If a user simultaneously has Sunny Explorer running and visits a malicious host, cross-site request forgery can be used to change settings in the inverters (for example, issuing a POST request to change the user…

  • CVE-2017-2138HigAug 2, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via…

  • CVE-2017-11726HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.00

    services/system_io/actionprocessor/System.rails in ConnectWise Manage 2017.5 is vulnerable to Cross-Site Request Forgery (CSRF), as demonstrated by changing an e-mail address setting.

  • CVE-2017-11648HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.00

    Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do not possess any protection against a CSRF vulnerability, as demonstrated by a goform/BasicSettings request to disable port filtering.

  • CVE-2016-9716HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 119729.

  • CVE-2016-9714HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM InfoSphere Master Data Management Server 10.1, 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 119727.

  • CVE-2017-9490HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.01

    The Comcast firmware on Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices allows configuration changes via CSRF.

  • CVE-2017-9489HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.01

    The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST) devices allows configuration changes via CSRF.

  • CVE-2017-11646HigJul 28, 2017
    risk 0.57cvss 8.8epss 0.00

    NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 are vulnerable to CSRF attacks, as demonstrated by using administration.html to disable the firewall. They does not contain any token that can mitigate CSRF vulnerabilities within the…

  • CVE-2017-11680HigJul 27, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-Site Request Forgery (CSRF) exists in Hashtopussy 0.4.0, allowing an admin password change via users.php.

  • CVE-2017-11679HigJul 27, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-Site Request Forgery (CSRF) exists in Hashtopus 1.5g via the password parameter to admin.php in an a=config action.