CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 47 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-12646 | Hig | 0.53 | 8.1 | 0.00 | Dec 16, 2024 | The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could… | ||
| CVE-2024-12643 | Hig | 0.53 | 8.1 | 0.00 | Dec 16, 2024 | The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could… | ||
| CVE-2024-53793 | Hig | 0.53 | 8.2 | 0.00 | Dec 2, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL Injection.This issue affects eDoc Easy Tables: from n/a through <= 1.29. | ||
| CVE-2024-52451 | Hig | 0.53 | 8.2 | 0.00 | Nov 20, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue affects Post Ideas: from n/a through <= 2. | ||
| CVE-2024-43434 | Hig | 0.53 | 8.1 | 0.01 | Nov 7, 2024 | The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability. | ||
| CVE-2024-49617 | Hig | 0.53 | 8.2 | 0.00 | Oct 20, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in anciwasim Back Link Tracker back-link-tracker allows Blind SQL Injection.This issue affects Back Link Tracker: from n/a through <= 1.0.0. | ||
| CVE-2024-49615 | Hig | 0.53 | 8.2 | 0.00 | Oct 20, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in Henrique Rodrigues SafetyForms safetymails-forms allows Blind SQL Injection.This issue affects SafetyForms: from n/a through <= 1.0.0. | ||
| CVE-2024-49622 | Hig | 0.53 | 8.2 | 0.00 | Oct 20, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari Apa Banner Slider apa-banner-slider allows SQL Injection.This issue affects Apa Banner Slider: from n/a through <= 1.0.0. | ||
| CVE-2024-49621 | Hig | 0.53 | 8.2 | 0.00 | Oct 20, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari APA Register Newsletter Form apa-register-newsletter-form allows SQL Injection.This issue affects APA Register Newsletter Form: from n/a through <= 1.0.0. | ||
| CVE-2024-24336 | Hig | 0.53 | 8.1 | 0.00 | Mar 19, 2024 | A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized… | ||
| CVE-2023-50774 | Hig | 0.53 | 8.1 | 0.00 | Dec 13, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system. | ||
| CVE-2023-27490 | Hig | 0.53 | 8.1 | 0.01 | Mar 9, 2023 | NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or… | ||
| CVE-2023-22457 | — | Cri | 0.53 | 9.0 | 0.19 | Jan 4, 2023 | CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a… | |
| CVE-2021-41275 | — | Cri | 0.53 | 9.3 | 0.01 | Nov 17, 2021 | spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that… | |
| CVE-2021-41274 | — | Cri | 0.53 | 9.3 | 0.01 | Nov 17, 2021 | solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend… | |
| CVE-2019-20390 | — | Hig | 0.53 | 8.1 | 0.01 | May 15, 2020 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate… | |
| CVE-2020-1692 | Hig | 0.53 | 8.1 | 0.01 | Feb 17, 2020 | Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course. | ||
| CVE-2018-10899 | Hig | 0.53 | 8.1 | 0.03 | Aug 1, 2019 | A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. | ||
| CVE-2018-1002103 | — | Hig | 0.53 | 8.1 | 0.01 | Dec 5, 2018 | In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new… | |
| CVE-2014-6046 | Hig | 0.53 | 8.8 | 0.02 | Aug 28, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open… |
- risk 0.53cvss 8.1epss 0.00
The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could…
- risk 0.53cvss 8.1epss 0.00
The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could…
- risk 0.53cvss 8.2epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL Injection.This issue affects eDoc Easy Tables: from n/a through <= 1.29.
- risk 0.53cvss 8.2epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue affects Post Ideas: from n/a through <= 2.
- risk 0.53cvss 8.1epss 0.01
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
- risk 0.53cvss 8.2epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in anciwasim Back Link Tracker back-link-tracker allows Blind SQL Injection.This issue affects Back Link Tracker: from n/a through <= 1.0.0.
- risk 0.53cvss 8.2epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Henrique Rodrigues SafetyForms safetymails-forms allows Blind SQL Injection.This issue affects SafetyForms: from n/a through <= 1.0.0.
- risk 0.53cvss 8.2epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari Apa Banner Slider apa-banner-slider allows SQL Injection.This issue affects Apa Banner Slider: from n/a through <= 1.0.0.
- risk 0.53cvss 8.2epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari APA Register Newsletter Form apa-register-newsletter-form allows SQL Injection.This issue affects APA Register Newsletter Form: from n/a through <= 1.0.0.
- risk 0.53cvss 8.1epss 0.00
A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized…
- risk 0.53cvss 8.1epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.
- risk 0.53cvss 8.1epss 0.01
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or…
- risk 0.53cvss 9.0epss 0.19
CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a…
- risk 0.53cvss 9.3epss 0.01
spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that…
- risk 0.53cvss 9.3epss 0.01
solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend…
- risk 0.53cvss 8.1epss 0.01
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate…
- risk 0.53cvss 8.1epss 0.01
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
- risk 0.53cvss 8.1epss 0.03
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
- risk 0.53cvss 8.1epss 0.01
In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new…
- risk 0.53cvss 8.8epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open…