VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 54 of 286
  • CVE-2022-43407HigOct 19, 2022
    risk 0.50cvss 8.8epss 0.00

    Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly…

  • CVE-2022-3221HigSep 15, 2022
    risk 0.50cvss 8.8epss 0.01

    Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.3.

  • CVE-2022-36076HigSep 2, 2022
    risk 0.50cvss 8.8epss 0.00

    NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was…

  • CVE-2022-36882HigJul 27, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

  • CVE-2022-2001HigJul 18, 2022
    risk 0.50cvss 8.8epss 0.01

    The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for…

  • CVE-2022-29050HigApr 12, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials.

  • CVE-2022-28136HigMar 29, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2022-27204HigMar 15, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL.

  • CVE-2022-25194HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials.

  • CVE-2022-25192HigFeb 15, 2022
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-0335HigJan 25, 2022
    risk 0.50cvss 8.8epss 0.01

    A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

  • CVE-2021-4164HigJan 17, 2022
    risk 0.50cvss 8.8epss 0.01

    calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-4168HigDec 26, 2021
    risk 0.50cvss 8.8epss 0.01

    showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-4131HigDec 18, 2021
    risk 0.50cvss 8.8epss 0.01

    livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-4130HigDec 18, 2021
    risk 0.50cvss 8.8epss 0.00

    snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-4017HigDec 1, 2021
    risk 0.50cvss 8.8epss 0.01

    showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-43559HigNov 22, 2021
    risk 0.50cvss 8.8epss 0.01

    A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

  • CVE-2021-3901HigOct 27, 2021
    risk 0.50cvss 8.8epss 0.01

    firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-3858HigOct 19, 2021
    risk 0.50cvss 8.8epss 0.01

    snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-41113HigOct 5, 2021
    risk 0.50cvss 8.8epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The…