CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 38 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-3691 | Hig | 0.57 | 8.8 | 0.01 | Apr 24, 2017 | Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method. | ||
| CVE-2017-7951 | Hig | 0.57 | 8.8 | 0.01 | Apr 21, 2017 | WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context. | ||
| CVE-2017-7990 | Hig | 0.57 | 8.8 | 0.01 | Apr 21, 2017 | The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp. | ||
| CVE-2016-5401 | Hig | 0.57 | 8.8 | 0.01 | Apr 20, 2017 | Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page. | ||
| CVE-2017-5156 | Hig | 0.57 | 8.8 | 0.01 | Apr 20, 2017 | A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the… | ||
| CVE-2017-7881 | Hig | 0.57 | 8.8 | 0.01 | Apr 15, 2017 | BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php… | ||
| CVE-2017-7877 | Hig | 0.57 | 8.8 | 0.01 | Apr 14, 2017 | CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations. | ||
| CVE-2016-4891 | Hig | 0.57 | 8.8 | 0.01 | Apr 12, 2017 | Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors. | ||
| CVE-2016-8718 | Hig | 0.57 | 8.8 | 0.01 | Apr 12, 2017 | An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be… | ||
| CVE-2016-4319 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2017 | Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. | ||
| CVE-2016-6100 | Hig | 0.57 | 8.8 | 0.01 | Apr 5, 2017 | IBM Disposal and Governance Management for IT and IBM Global Retention Policy and Schedule Management, components of IBM Atlas Policy Suite 6.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted… | ||
| CVE-2016-10313 | Hig | 0.57 | 8.8 | 0.01 | Apr 3, 2017 | Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct CSRF attacks via certain /goform/* pages. | ||
| CVE-2014-9694 | Hig | 0.57 | 8.8 | 0.01 | Apr 2, 2017 | Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2… | ||
| CVE-2014-9137 | Hig | 0.57 | 8.8 | 0.00 | Apr 2, 2017 | Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V300R001C00; USG2100 with software V300R001C00SPC900 and earlier versions; USG2200 with software V300R001C00SPC900; USG5100 with software V300R001C00SPC900 could allow an unauthenticated, remote attacker to… | ||
| CVE-2014-9136 | Hig | 0.57 | 8.8 | 0.00 | Apr 2, 2017 | Huawei FusionManager with software V100R002C03 and V100R003C00 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface. | ||
| CVE-2016-8917 | Hig | 0.57 | 8.8 | 0.01 | Mar 31, 2017 | IBM Sterling Order Management 9.2 - 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 2000943. | ||
| CVE-2017-2688 | Hig | 0.57 | 8.8 | 0.01 | Mar 29, 2017 | The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow remote attackers to perform actions with the privileges of an authenticated user, provided the targeted user has an active session and is induced into clicking on a malicious link… | ||
| CVE-2016-9456 | Hig | 0.57 | 8.8 | 0.01 | Mar 28, 2017 | Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. Over 20+ such issues were fixed. | ||
| CVE-2016-9455 | Hig | 0.57 | 8.8 | 0.01 | Mar 28, 2017 | Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are vulnerable to CSRF attacks: `www/admin/banner-acl.php`, `www/admin/banner-activate.php`, `www/admin/banner-advanced.php`,… | ||
| CVE-2016-9127 | Hig | 0.57 | 8.8 | 0.01 | Mar 28, 2017 | Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially… |
- risk 0.57cvss 8.8epss 0.01
Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.
- risk 0.57cvss 8.8epss 0.01
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
- risk 0.57cvss 8.8epss 0.01
The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.
- risk 0.57cvss 8.8epss 0.01
A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the…
- risk 0.57cvss 8.8epss 0.01
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php…
- risk 0.57cvss 8.8epss 0.01
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors.
- risk 0.57cvss 8.8epss 0.01
An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be…
- risk 0.57cvss 8.8epss 0.01
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
- risk 0.57cvss 8.8epss 0.01
IBM Disposal and Governance Management for IT and IBM Global Retention Policy and Schedule Management, components of IBM Atlas Policy Suite 6.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted…
- risk 0.57cvss 8.8epss 0.01
Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct CSRF attacks via certain /goform/* pages.
- risk 0.57cvss 8.8epss 0.01
Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2…
- risk 0.57cvss 8.8epss 0.00
Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V300R001C00; USG2100 with software V300R001C00SPC900 and earlier versions; USG2200 with software V300R001C00SPC900; USG5100 with software V300R001C00SPC900 could allow an unauthenticated, remote attacker to…
- risk 0.57cvss 8.8epss 0.00
Huawei FusionManager with software V100R002C03 and V100R003C00 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface.
- risk 0.57cvss 8.8epss 0.01
IBM Sterling Order Management 9.2 - 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 2000943.
- risk 0.57cvss 8.8epss 0.01
The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow remote attackers to perform actions with the privileges of an authenticated user, provided the targeted user has an active session and is induced into clicking on a malicious link…
- risk 0.57cvss 8.8epss 0.01
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. Over 20+ such issues were fixed.
- risk 0.57cvss 8.8epss 0.01
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are vulnerable to CSRF attacks: `www/admin/banner-acl.php`, `www/admin/banner-activate.php`, `www/admin/banner-advanced.php`,…
- risk 0.57cvss 8.8epss 0.01
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially…