VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 49 of 286
  • CVE-2018-16951HigSep 12, 2018
    risk 0.52cvss 8.0epss 0.01

    xunfeng 0.2.0 allows command execution via CSRF because masscan.py mishandles backquote characters, a related issue to CVE-2018-16832.

  • CVE-2018-15187HigAug 10, 2018
    risk 0.52cvss 8.0epss 0.00

    PHP Scripts Mall advanced-real-estate-script 4.0.9 has CSRF via edit-profile.php.

  • CVE-2017-0933HigMar 22, 2018
    risk 0.52cvss 8.0epss 0.01

    Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from a Cross-Site Request Forgery (CSRF) vulnerability. An attacker with access to an operator (read-only) account could lure an admin (root) user to access the attacker-controlled page, allowing the attacker to gain admin…

  • CVE-2016-0272HigMar 9, 2018
    risk 0.52cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, and…

  • CVE-2016-0348HigFeb 21, 2018
    risk 0.52cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813.

  • CVE-2016-8513HigFeb 15, 2018
    risk 0.52cvss 8.0epss 0.01

    A Cross-Site Request Forgery (CSRF) vulnerability in HPE Version Control Repository Manager (VCRM) was found. The problem impacts all versions prior to 7.6.

  • CVE-2017-5263HigDec 20, 2017
    risk 0.52cvss 8.0epss 0.00

    Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any web application function, especially destructive ones.

  • CVE-2017-16563HigNov 6, 2017
    risk 0.52cvss 8.0epss 0.00

    Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vonage (Grandstream) HT802 devices allows attackers to modify settings, related to cgi-bin/update.

  • CVE-2016-5789HigOct 13, 2017
    risk 0.52cvss 8.0epss 0.00

    A Cross-site Request Forgery issue was discovered in JanTek JTC-200, all versions. An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

  • CVE-2017-14925HigSep 30, 2017
    risk 0.52cvss 8.0epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related…

  • CVE-2017-14924HigSep 30, 2017
    risk 0.52cvss 8.0epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element,…

  • CVE-2017-14530HigSep 18, 2017
    risk 0.52cvss 8.0epss 0.01

    WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for WordPress has CSRF via the name parameter in an action=manage&do=create operation, as demonstrated by inserting XSS sequences.

  • CVE-2017-9415HigJul 21, 2017
    risk 0.52cvss 7.5epss 0.02

    Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.

  • CVE-2016-7507HigJul 19, 2017
    risk 0.52cvss 8.0epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.

  • CVE-2016-9991HigJun 8, 2017
    risk 0.52cvss 8.0epss 0.01

    IBM Sterling Order Management 9.2 through 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 121314.

  • CVE-2017-5657HigMay 22, 2017
    risk 0.52cvss 8.0epss 0.01

    Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same…

  • CVE-2016-1161HigApr 20, 2017
    risk 0.52cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500).

  • CVE-2016-7904HigJan 16, 2017
    risk 0.52cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request.

  • CVE-2016-8201HigJan 14, 2017
    risk 0.52cvss 8.0epss 0.00

    A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster.

  • CVE-2016-2884HigNov 30, 2016
    risk 0.52cvss 8.0epss 0.00

    Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.