VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 53 of 286
  • CVE-2023-50766HigDec 13, 2023
    risk 0.50cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.

  • CVE-2023-47350HigNov 22, 2023
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in SwiftyEdit Content Management System prior to v1.2.0, allows remote attackers to escalate privileges via the user password update functionality.

  • CVE-2023-48293HigNov 20, 2023
    risk 0.50cvss 8.8epss 0.00

    The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other…

  • CVE-2023-6022HigNov 16, 2023
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5.

  • CVE-2023-5690HigOct 20, 2023
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

  • CVE-2023-5511HigOct 11, 2023
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.

  • CVE-2023-5036HigSep 18, 2023
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.

  • CVE-2023-31999HigJul 4, 2023
    risk 0.50cvss 8.8epss 0.01

    All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and…

  • CVE-2021-4401HigJul 1, 2023
    risk 0.50cvss 8.8epss 0.01

    The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update…

  • CVE-2023-29008HigApr 6, 2023
    risk 0.50cvss 8.8epss 0.00

    The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users.…

  • CVE-2023-29003HigApr 4, 2023
    risk 0.50cvss 8.8epss 0.01

    SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request…

  • CVE-2023-28335HigMar 23, 2023
    risk 0.50cvss 8.8epss 0.00

    The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.

  • CVE-2023-1033HigFeb 25, 2023
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.

  • CVE-2023-25767HigFeb 15, 2023
    risk 0.50cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers to connect to an attacker-specified web server.

  • CVE-2022-3568HigFeb 10, 2023
    risk 0.50cvss 8.8epss 0.01

    The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site…

  • CVE-2022-4844HigDec 29, 2022
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2016-15005HigDec 27, 2022
    risk 0.50cvss 8.8epss 0.00

    CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.

  • CVE-2020-28191HigDec 26, 2022
    risk 0.50cvss 8.8epss 0.00

    The console in Togglz before 2.9.4 allows CSRF.

  • CVE-2022-40489HigDec 1, 2022
    risk 0.50cvss 8.8epss 0.00

    ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.

  • CVE-2022-43693HigNov 14, 2022
    risk 0.50cvss 8.8epss 0.00

    Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.