VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 48 of 286
  • CVE-2018-14057HigAug 17, 2018
    risk 0.53cvss 8.8epss 0.03

    Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.

  • CVE-2017-9963HigFeb 12, 2018
    risk 0.53cvss 8.1epss 0.00

    A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type…

  • CVE-2017-16244HigNov 1, 2017
    risk 0.53cvss 8.8epss 0.02

    Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and…

  • CVE-2017-15735HigOct 22, 2017
    risk 0.53cvss 8.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary.

  • CVE-2017-15734HigOct 22, 2017
    risk 0.53cvss 8.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php.

  • CVE-2017-8099HigApr 24, 2017
    risk 0.53cvss 8.1epss 0.01

    There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing attackers to delete any WordPress users and change the plugin's status via a GET request.

  • CVE-2015-7563HigApr 12, 2017
    risk 0.53cvss 8.8epss 0.03

    Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user.

  • CVE-2026-48612HigJun 12, 2026
    risk 0.52cvss 8.0epss 0.00

    Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover.

  • CVE-2025-11954HigMay 20, 2026
    risk 0.52cvss 8.0epss 0.00

    Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

  • CVE-2025-13970HigDec 13, 2025
    risk 0.52cvss 8.0epss 0.00

    OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized …

  • CVE-2025-24223HigMay 12, 2025
    risk 0.52cvss 8.0epss 0.00

    The issue was addressed with improved memory handling. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to memory corruption.

  • CVE-2024-55924HigJan 14, 2025
    risk 0.52cvss 8.0epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-31986CriApr 10, 2024
    risk 0.52cvss 9.0epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the…

  • CVE-2023-40572CriAug 24, 2023
    risk 0.52cvss 9.0epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the…

  • CVE-2023-35141HigJun 14, 2023
    risk 0.52cvss 8.0epss 0.01

    In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by…

  • CVE-2023-29213CriApr 17, 2023
    risk 0.52cvss 9.0epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of `org.xwiki.platform:xwiki-platform-logging-ui` it is possible to trick a user with programming rights into visiting a constructed url where e.g., by…

  • CVE-2022-36916HigJul 27, 2022
    risk 0.52cvss 8.0epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Google Cloud Backup Plugin 0.6 and earlier allows attackers to request a manual backup.

  • CVE-2022-34792HigJun 30, 2022
    risk 0.52cvss 8.0epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.

  • CVE-2020-2196HigJun 3, 2020
    risk 0.52cvss 8.0epss 0.01

    Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.

  • CVE-2020-11069HigMay 14, 2020
    risk 0.52cvss 8.0epss 0.01

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously…