CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 53 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-50766 | Hig | 0.50 | 8.8 | 0.00 | Dec 13, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML. | ||
| CVE-2023-47350 | — | Hig | 0.50 | 8.8 | 0.00 | Nov 22, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in SwiftyEdit Content Management System prior to v1.2.0, allows remote attackers to escalate privileges via the user password update functionality. | |
| CVE-2023-48293 | — | Hig | 0.50 | 8.8 | 0.00 | Nov 20, 2023 | The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other… | |
| CVE-2023-6022 | Hig | 0.50 | 8.8 | 0.00 | Nov 16, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5. | ||
| CVE-2023-5690 | Hig | 0.50 | 8.8 | 0.00 | Oct 20, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2. | ||
| CVE-2023-5511 | Hig | 0.50 | 8.8 | 0.00 | Oct 11, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. | ||
| CVE-2023-5036 | — | Hig | 0.50 | 8.8 | 0.00 | Sep 18, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1. | |
| CVE-2023-31999 | — | Hig | 0.50 | 8.8 | 0.01 | Jul 4, 2023 | All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and… | |
| CVE-2021-4401 | Hig | 0.50 | 8.8 | 0.01 | Jul 1, 2023 | The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update… | ||
| CVE-2023-29008 | Hig | 0.50 | 8.8 | 0.00 | Apr 6, 2023 | The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users.… | ||
| CVE-2023-29003 | Hig | 0.50 | 8.8 | 0.01 | Apr 4, 2023 | SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request… | ||
| CVE-2023-28335 | Hig | 0.50 | 8.8 | 0.00 | Mar 23, 2023 | The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk. | ||
| CVE-2023-1033 | Hig | 0.50 | 8.8 | 0.00 | Feb 25, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11. | ||
| CVE-2023-25767 | Hig | 0.50 | 8.8 | 0.00 | Feb 15, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server. | ||
| CVE-2022-3568 | Hig | 0.50 | 8.8 | 0.01 | Feb 10, 2023 | The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site… | ||
| CVE-2022-4844 | — | Hig | 0.50 | 8.8 | 0.00 | Dec 29, 2022 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | |
| CVE-2016-15005 | — | Hig | 0.50 | 8.8 | 0.00 | Dec 27, 2022 | CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests. | |
| CVE-2020-28191 | — | Hig | 0.50 | 8.8 | 0.00 | Dec 26, 2022 | The console in Togglz before 2.9.4 allows CSRF. | |
| CVE-2022-40489 | Hig | 0.50 | 8.8 | 0.00 | Dec 1, 2022 | ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users. | ||
| CVE-2022-43693 | — | Hig | 0.50 | 8.8 | 0.00 | Nov 14, 2022 | Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. |
- risk 0.50cvss 8.8epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in SwiftyEdit Content Management System prior to v1.2.0, allows remote attackers to escalate privileges via the user password update functionality.
- risk 0.50cvss 8.8epss 0.00
The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other…
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5.
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.
- risk 0.50cvss 8.8epss 0.01
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and…
- risk 0.50cvss 8.8epss 0.01
The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update…
- risk 0.50cvss 8.8epss 0.00
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users.…
- risk 0.50cvss 8.8epss 0.01
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request…
- risk 0.50cvss 8.8epss 0.00
The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.
- risk 0.50cvss 8.8epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server.
- risk 0.50cvss 8.8epss 0.01
The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site…
- risk 0.50cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
- risk 0.50cvss 8.8epss 0.00
CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.
- risk 0.50cvss 8.8epss 0.00
The console in Togglz before 2.9.4 allows CSRF.
- risk 0.50cvss 8.8epss 0.00
ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.
- risk 0.50cvss 8.8epss 0.00
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.