VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 44 of 286
  • CVE-2024-31988CriApr 10, 2024
    risk 0.55cvss 9.6epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right.…

  • CVE-2024-22416CriJan 18, 2024
    risk 0.55cvss 9.6epss 0.01

    pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site…

  • CVE-2023-50722CriDec 15, 2023
    risk 0.55cvss 9.6epss 0.01

    XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed…

  • CVE-2023-46242CriNov 7, 2023
    risk 0.55cvss 9.6epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this…

  • CVE-2023-37277CriJul 10, 2023
    risk 0.55cvss 9.6epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be…

  • CVE-2018-7216HigFeb 18, 2018
    risk 0.55cvss 8.0epss 0.03

    Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF…

  • CVE-2018-6888HigFeb 12, 2018
    risk 0.55cvss 8.0epss 0.02

    An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack…

  • CVE-2017-1000432HigJan 2, 2018
    risk 0.55cvss 8.0epss 0.02

    Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access

  • CVE-2015-2142HigOct 6, 2017
    risk 0.55cvss 8.0epss 0.02

    Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the…

  • CVE-2017-13129HigSep 26, 2017
    risk 0.55cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens.

  • CVE-2017-7571HigApr 6, 2017
    risk 0.55cvss 8.0epss 0.02

    public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges.

  • CVE-2017-5633HigMar 6, 2017
    risk 0.55cvss 8.0epss 0.04

    Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs.

  • CVE-2016-7454HigDec 17, 2016
    risk 0.55cvss 8.0epss 0.03

    CSRF vulnerability on Technicolor TC dpc3941T (formerly Cisco dpc3941T) devices with firmware dpc3941-P20-18-v303r20421733-160413a-CMCST allows an attacker to change the Wi-Fi password, open the remote management interface, or reset the router.

  • CVE-2016-6637CriSep 30, 2016
    risk 0.55cvss 9.6epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x…

  • CVE-2016-3653HigJun 30, 2016
    risk 0.55cvss 8.0epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to hijack the authentication of arbitrary users.

  • CVE-2025-62593CriNov 26, 2025
    risk 0.54cvss epss 0.00

    Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the…

  • CVE-2025-6001HigJun 11, 2025
    risk 0.54cvss 8.3epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager.

  • CVE-2025-27298HigFeb 24, 2025
    risk 0.54cvss 8.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts wp-video-posts allows OS Command Injection.This issue affects WP Video Posts: from n/a through <= 3.5.1.

  • CVE-2020-36839HigOct 16, 2024
    risk 0.54cvss 8.3epss 0.00

    The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.99. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform administrative…

  • CVE-2021-46398HigFeb 4, 2022
    risk 0.54cvss 8.8epss 0.07

    A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the…