VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 38 of 286
  • CVE-2016-3691HigApr 24, 2017
    risk 0.57cvss 8.8epss 0.01

    Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.

  • CVE-2017-7951HigApr 21, 2017
    risk 0.57cvss 8.8epss 0.01

    WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.

  • CVE-2017-7990HigApr 21, 2017
    risk 0.57cvss 8.8epss 0.01

    The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.

  • CVE-2016-5401HigApr 20, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.

  • CVE-2017-5156HigApr 20, 2017
    risk 0.57cvss 8.8epss 0.01

    A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the…

  • CVE-2017-7881HigApr 15, 2017
    risk 0.57cvss 8.8epss 0.01

    BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php…

  • CVE-2017-7877HigApr 14, 2017
    risk 0.57cvss 8.8epss 0.01

    CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.

  • CVE-2016-4891HigApr 12, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors.

  • CVE-2016-8718HigApr 12, 2017
    risk 0.57cvss 8.8epss 0.01

    An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be…

  • CVE-2016-4319HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.01

    Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.

  • CVE-2016-6100HigApr 5, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Disposal and Governance Management for IT and IBM Global Retention Policy and Schedule Management, components of IBM Atlas Policy Suite 6.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted…

  • CVE-2016-10313HigApr 3, 2017
    risk 0.57cvss 8.8epss 0.01

    Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to conduct CSRF attacks via certain /goform/* pages.

  • CVE-2014-9694HigApr 2, 2017
    risk 0.57cvss 8.8epss 0.01

    Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2…

  • CVE-2014-9137HigApr 2, 2017
    risk 0.57cvss 8.8epss 0.00

    Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V300R001C00; USG2100 with software V300R001C00SPC900 and earlier versions; USG2200 with software V300R001C00SPC900; USG5100 with software V300R001C00SPC900 could allow an unauthenticated, remote attacker to…

  • CVE-2014-9136HigApr 2, 2017
    risk 0.57cvss 8.8epss 0.00

    Huawei FusionManager with software V100R002C03 and V100R003C00 could allow an unauthenticated, remote attacker to conduct a CSRF attack against the user of the web interface.

  • CVE-2016-8917HigMar 31, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Sterling Order Management 9.2 - 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 2000943.

  • CVE-2017-2688HigMar 29, 2017
    risk 0.57cvss 8.8epss 0.01

    The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at port 10000/TCP could allow remote attackers to perform actions with the privileges of an authenticated user, provided the targeted user has an active session and is induced into clicking on a malicious link…

  • CVE-2016-9456HigMar 28, 2017
    risk 0.57cvss 8.8epss 0.01

    Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. Over 20+ such issues were fixed.

  • CVE-2016-9455HigMar 28, 2017
    risk 0.57cvss 8.8epss 0.01

    Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are vulnerable to CSRF attacks: `www/admin/banner-acl.php`, `www/admin/banner-activate.php`, `www/admin/banner-advanced.php`,…

  • CVE-2016-9127HigMar 28, 2017
    risk 0.57cvss 8.8epss 0.01

    Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially…