VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 5 of 286
  • CVE-2018-8908HigMar 31, 2018
    risk 0.60cvss 8.8epss 0.02

    An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin…

  • CVE-2018-9092HigMar 27, 2018
    risk 0.60cvss 8.8epss 0.02

    There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.

  • CVE-2018-1213HigMar 26, 2018
    risk 0.60cvss 8.8epss 0.02

    Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit this vulnerability to send…

  • CVE-2018-8979HigMar 25, 2018
    risk 0.60cvss 8.8epss 0.01

    Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.

  • CVE-2018-8817HigMar 25, 2018
    risk 0.60cvss 8.8epss 0.03

    Wampserver before 3.1.3 has CSRF in add_vhost.php.

  • CVE-2018-8811HigMar 20, 2018
    risk 0.60cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows…

  • CVE-2018-6224HigMar 15, 2018
    risk 0.60cvss 8.8epss 0.02

    A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.

  • CVE-2018-7746HigMar 7, 2018
    risk 0.60cvss 8.8epss 0.03

    An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin.

  • CVE-2018-6941HigFeb 20, 2018
    risk 0.60cvss 8.8epss 0.04

    A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.

  • CVE-2018-7176HigFeb 16, 2018
    risk 0.60cvss 8.8epss 0.02

    FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).

  • CVE-2018-6007HigJan 29, 2018
    risk 0.60cvss 8.8epss 0.02

    CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.

  • CVE-2018-5720HigJan 29, 2018
    risk 0.60cvss 8.8epss 0.03

    An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This…

  • CVE-2018-5976HigJan 24, 2018
    risk 0.60cvss 8.8epss 0.02

    Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.

  • CVE-2018-5969HigJan 24, 2018
    risk 0.60cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.

  • CVE-2012-0699HigJan 11, 2018
    risk 0.60cvss 8.8epss 0.04

    Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an…

  • CVE-2017-5264HigDec 14, 2017
    risk 0.60cvss 8.8epss 0.03

    Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.

  • CVE-2017-7851HigNov 15, 2017
    risk 0.60cvss 8.8epss 0.02

    D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.

  • CVE-2017-16570HigNov 6, 2017
    risk 0.60cvss 8.8epss 0.02

    KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.

  • CVE-2017-15808HigOct 23, 2017
    risk 0.60cvss 8.8epss 0.01

    In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.

  • CVE-2017-15730HigOct 22, 2017
    risk 0.60cvss 8.8epss 0.02

    In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.