VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 40 of 286
  • CVE-2016-8369HigFeb 13, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request (CROSS-SITE REQUEST FORGERY).

  • CVE-2017-5368HigFeb 6, 2017
    risk 0.57cvss 8.8epss 0.01

    ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker…

  • CVE-2016-6103HigFeb 2, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

  • CVE-2016-8941HigFeb 1, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Tivoli Storage Productivity Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

  • CVE-2016-6045HigFeb 1, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Tivoli Storage Manager Operations Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

  • CVE-2016-5937HigFeb 1, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

  • CVE-2016-3029HigFeb 1, 2017
    risk 0.57cvss 8.8epss 0.00

    IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

  • CVE-2017-3794HigJan 26, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user. More Information: CSCuz03317. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.12.

  • CVE-2016-9218HigJan 26, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvc28662. Known Affected Releases: 1.0.

  • CVE-2016-6521HigJan 23, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors.

  • CVE-2016-3406HigJan 18, 2017
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and…

  • CVE-2017-5492HigJan 15, 2017
    risk 0.57cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to…

  • CVE-2017-5476HigJan 14, 2017
    risk 0.57cvss 8.8epss 0.01

    Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.

  • CVE-2017-5475HigJan 14, 2017
    risk 0.57cvss 8.8epss 0.01

    comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.

  • CVE-2016-7885HigDec 15, 2016
    risk 0.57cvss 8.8epss 0.03

    Adobe Experience Manager versions 6.2 and earlier have a vulnerability that could be used in Cross-Site Request Forgery attacks.

  • CVE-2016-6468HigDec 14, 2016
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. More Information: CSCvb06663. Known…

  • CVE-2016-2963HigNov 30, 2016
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in IBM BigFix Remote Control before 9.1.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

  • CVE-2016-8673HigNov 23, 2016
    risk 0.57cvss 8.8epss 0.01

    A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.0.53), SIMATIC CP 443-1 Advanced (incl. SIPLUS NET variant) (All versions < V3.2.17), SIMATIC S7-300 PN/DP CPU family (incl. SIPLUS variants) (All versions), SIMATIC…

  • CVE-2016-6444HigOct 27, 2016
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a Web Bridge user. More Information: CSCvb03308. Known Affected Releases: 1.8, 1.9, 2.0.

  • CVE-2016-6442HigOct 27, 2016
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. More Information: CSCvb57213. Known Affected Releases: 11.0(1).