VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 36 of 286
  • CVE-2016-1000218HigJun 16, 2017
    risk 0.57cvss 8.8epss 0.01

    Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.

  • CVE-2017-9673HigJun 15, 2017
    risk 0.57cvss 8.8epss 0.01

    In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an administrator account (via the index.php/user/new URI) or change its settings (via the index.php/user/1 URI), including its password.

  • CVE-2017-6659HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. More Information: CSCvc91800.…

  • CVE-2016-7822HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows remote attackers to hijack the authentication of a logged in user to perform unintended operations via unspecified vectors.

  • CVE-2016-7809HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows remote attackers to hijack the authentication of logged in user to conduct unintended operations via unspecified vectors.

  • CVE-2016-4907HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.01

    Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tokens via unspecified vectors.

  • CVE-2017-9519HigJun 8, 2017
    risk 0.57cvss 8.8epss 0.00

    atmail before 7.8.0.2 has CSRF, allowing an attacker to create a user account.

  • CVE-2017-9518HigJun 8, 2017
    risk 0.57cvss 8.8epss 0.00

    atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMTP hostname and hijack all emails.

  • CVE-2017-9517HigJun 8, 2017
    risk 0.57cvss 8.8epss 0.00

    atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and import users via CSV.

  • CVE-2017-9444HigJun 5, 2017
    risk 0.57cvss 8.8epss 0.00

    BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the…

  • CVE-2016-8229HigJun 4, 2017
    risk 0.57cvss 8.8epss 0.00

    A cross-site request forgery vulnerability in Lenovo Service Bridge before version 4 could be exploited by an attacker with access to the DHCP server used by the system where LSB is installed.

  • CVE-2017-9379HigJun 2, 2017
    risk 0.57cvss 8.8epss 0.00

    Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php.

  • CVE-2017-9365HigJun 2, 2017
    risk 0.57cvss 8.8epss 0.00

    CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.

  • CVE-2017-7917HigMay 29, 2017
    risk 0.57cvss 8.8epss 0.00

    A Cross-Site Request Forgery issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell…

  • CVE-2017-9033HigMay 26, 2017
    risk 0.57cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows remote attackers to hijack the authentication of users for requests to start an update from an arbitrary source via a crafted request to…

  • CVE-2015-3191HigMay 25, 2017
    risk 0.57cvss 8.8epss 0.00

    With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user…

  • CVE-2016-4904HigMay 22, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in WP-OliveCart versions prior to 3.1.3 and WP-OliveCartPro versions prior to 3.1.8 allows remote attackers to hijack the authentication of a user to perform unintended operations via unspecified vectors.

  • CVE-2016-4854HigMay 22, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in L-04D firmware version V10a and V10b allows remote attackers to hijack the authentication of administrators to perform arbitrary operations via unspecified vectors.

  • CVE-2017-6634HigMay 22, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the Device Manager web interface of Cisco Industrial Ethernet 1000 Series Switches 1.3 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to…

  • CVE-2016-3403HigMay 17, 2017
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Zimbra Collaboration before 8.6.0 Patch 8 allow remote attackers to hijack the authentication of administrators for requests that (1) add, (2) modify, or (3) remove accounts by leveraging failure…