VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 47 of 286
  • CVE-2024-12646HigDec 16, 2024
    risk 0.53cvss 8.1epss 0.00

    The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could…

  • CVE-2024-12643HigDec 16, 2024
    risk 0.53cvss 8.1epss 0.00

    The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could…

  • CVE-2024-53793HigDec 2, 2024
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL Injection.This issue affects eDoc Easy Tables: from n/a through <= 1.29.

  • CVE-2024-52451HigNov 20, 2024
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue affects Post Ideas: from n/a through <= 2.

  • CVE-2024-43434HigNov 7, 2024
    risk 0.53cvss 8.1epss 0.01

    The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

  • CVE-2024-49617HigOct 20, 2024
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in anciwasim Back Link Tracker back-link-tracker allows Blind SQL Injection.This issue affects Back Link Tracker: from n/a through <= 1.0.0.

  • CVE-2024-49615HigOct 20, 2024
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Henrique Rodrigues SafetyForms safetymails-forms allows Blind SQL Injection.This issue affects SafetyForms: from n/a through <= 1.0.0.

  • CVE-2024-49622HigOct 20, 2024
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari Apa Banner Slider apa-banner-slider allows SQL Injection.This issue affects Apa Banner Slider: from n/a through <= 1.0.0.

  • CVE-2024-49621HigOct 20, 2024
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari APA Register Newsletter Form apa-register-newsletter-form allows SQL Injection.This issue affects APA Register Newsletter Form: from n/a through <= 1.0.0.

  • CVE-2024-24336HigMar 19, 2024
    risk 0.53cvss 8.1epss 0.00

    A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized…

  • CVE-2023-50774HigDec 13, 2023
    risk 0.53cvss 8.1epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.

  • CVE-2023-27490HigMar 9, 2023
    risk 0.53cvss 8.1epss 0.01

    NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or…

  • CVE-2023-22457CriJan 4, 2023
    risk 0.53cvss 9.0epss 0.19

    CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a…

  • CVE-2021-41275CriNov 17, 2021
    risk 0.53cvss 9.3epss 0.01

    spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that…

  • CVE-2021-41274CriNov 17, 2021
    risk 0.53cvss 9.3epss 0.01

    solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend…

  • CVE-2019-20390HigMay 15, 2020
    risk 0.53cvss 8.1epss 0.01

    A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate…

  • CVE-2020-1692HigFeb 17, 2020
    risk 0.53cvss 8.1epss 0.01

    Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.

  • CVE-2018-10899HigAug 1, 2019
    risk 0.53cvss 8.1epss 0.03

    A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.

  • CVE-2018-1002103HigDec 5, 2018
    risk 0.53cvss 8.1epss 0.01

    In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new…

  • CVE-2014-6046HigAug 28, 2018
    risk 0.53cvss 8.8epss 0.02

    Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…