CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 5 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8908 | Hig | 0.60 | 8.8 | 0.02 | Mar 31, 2018 | An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin… | ||
| CVE-2018-9092 | — | Hig | 0.60 | 8.8 | 0.02 | Mar 27, 2018 | There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password. | |
| CVE-2018-1213 | Hig | 0.60 | 8.8 | 0.02 | Mar 26, 2018 | Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit this vulnerability to send… | ||
| CVE-2018-8979 | Hig | 0.60 | 8.8 | 0.01 | Mar 25, 2018 | Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI. | ||
| CVE-2018-8817 | Hig | 0.60 | 8.8 | 0.03 | Mar 25, 2018 | Wampserver before 3.1.3 has CSRF in add_vhost.php. | ||
| CVE-2018-8811 | Hig | 0.60 | 8.8 | 0.02 | Mar 20, 2018 | Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows… | ||
| CVE-2018-6224 | Hig | 0.60 | 8.8 | 0.02 | Mar 15, 2018 | A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain. | ||
| CVE-2018-7746 | Hig | 0.60 | 8.8 | 0.03 | Mar 7, 2018 | An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin. | ||
| CVE-2018-6941 | — | Hig | 0.60 | 8.8 | 0.04 | Feb 20, 2018 | A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS. | |
| CVE-2018-7176 | Hig | 0.60 | 8.8 | 0.02 | Feb 16, 2018 | FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page). | ||
| CVE-2018-6007 | Hig | 0.60 | 8.8 | 0.02 | Jan 29, 2018 | CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket. | ||
| CVE-2018-5720 | Hig | 0.60 | 8.8 | 0.03 | Jan 29, 2018 | An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This… | ||
| CVE-2018-5976 | — | Hig | 0.60 | 8.8 | 0.02 | Jan 24, 2018 | Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password. | |
| CVE-2018-5969 | Hig | 0.60 | 8.8 | 0.01 | Jan 24, 2018 | Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account. | ||
| CVE-2012-0699 | Hig | 0.60 | 8.8 | 0.04 | Jan 11, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an… | ||
| CVE-2017-5264 | Hig | 0.60 | 8.8 | 0.03 | Dec 14, 2017 | Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack. | ||
| CVE-2017-7851 | Hig | 0.60 | 8.8 | 0.02 | Nov 15, 2017 | D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header. | ||
| CVE-2017-16570 | Hig | 0.60 | 8.8 | 0.02 | Nov 6, 2017 | KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header. | ||
| CVE-2017-15808 | Hig | 0.60 | 8.8 | 0.01 | Oct 23, 2017 | In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. | ||
| CVE-2017-15730 | Hig | 0.60 | 8.8 | 0.02 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. |
- risk 0.60cvss 8.8epss 0.02
An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will be created with admin…
- risk 0.60cvss 8.8epss 0.02
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.
- risk 0.60cvss 8.8epss 0.02
Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit this vulnerability to send…
- risk 0.60cvss 8.8epss 0.01
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.
- risk 0.60cvss 8.8epss 0.03
Wampserver before 3.1.3 has CSRF in add_vhost.php.
- risk 0.60cvss 8.8epss 0.02
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. Note: It is argued that OpenCMS allows…
- risk 0.60cvss 8.8epss 0.02
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
- risk 0.60cvss 8.8epss 0.03
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin.
- risk 0.60cvss 8.8epss 0.04
A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.
- risk 0.60cvss 8.8epss 0.02
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
- risk 0.60cvss 8.8epss 0.02
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
- risk 0.60cvss 8.8epss 0.03
An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This…
- risk 0.60cvss 8.8epss 0.02
Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.
- risk 0.60cvss 8.8epss 0.01
Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.
- risk 0.60cvss 8.8epss 0.04
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an…
- risk 0.60cvss 8.8epss 0.03
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
- risk 0.60cvss 8.8epss 0.02
D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
- risk 0.60cvss 8.8epss 0.02
KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.
- risk 0.60cvss 8.8epss 0.01
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
- risk 0.60cvss 8.8epss 0.02
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.