CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 54 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-43407 | Hig | 0.50 | 8.8 | 0.00 | Oct 19, 2022 | Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly… | ||
| CVE-2022-3221 | — | Hig | 0.50 | 8.8 | 0.01 | Sep 15, 2022 | Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.3. | |
| CVE-2022-36076 | Hig | 0.50 | 8.8 | 0.00 | Sep 2, 2022 | NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was… | ||
| CVE-2022-36882 | Hig | 0.50 | 8.8 | 0.01 | Jul 27, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. | ||
| CVE-2022-2001 | Hig | 0.50 | 8.8 | 0.01 | Jul 18, 2022 | The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for… | ||
| CVE-2022-29050 | Hig | 0.50 | 8.8 | 0.01 | Apr 12, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials. | ||
| CVE-2022-28136 | Hig | 0.50 | 8.8 | 0.01 | Mar 29, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | ||
| CVE-2022-27204 | Hig | 0.50 | 8.8 | 0.01 | Mar 15, 2022 | A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL. | ||
| CVE-2022-25194 | — | Hig | 0.50 | 8.8 | 0.01 | Feb 15, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials. | |
| CVE-2022-25192 | — | Hig | 0.50 | 8.8 | 0.01 | Feb 15, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |
| CVE-2022-0335 | Hig | 0.50 | 8.8 | 0.01 | Jan 25, 2022 | A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. | ||
| CVE-2021-4164 | Hig | 0.50 | 8.8 | 0.01 | Jan 17, 2022 | calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) | ||
| CVE-2021-4168 | — | Hig | 0.50 | 8.8 | 0.01 | Dec 26, 2021 | showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | |
| CVE-2021-4131 | Hig | 0.50 | 8.8 | 0.01 | Dec 18, 2021 | livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | ||
| CVE-2021-4130 | Hig | 0.50 | 8.8 | 0.00 | Dec 18, 2021 | snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | ||
| CVE-2021-4017 | — | Hig | 0.50 | 8.8 | 0.01 | Dec 1, 2021 | showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | |
| CVE-2021-43559 | — | Hig | 0.50 | 8.8 | 0.01 | Nov 22, 2021 | A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. | |
| CVE-2021-3901 | Hig | 0.50 | 8.8 | 0.01 | Oct 27, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||
| CVE-2021-3858 | Hig | 0.50 | 8.8 | 0.01 | Oct 19, 2021 | snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | ||
| CVE-2021-41113 | Hig | 0.50 | 8.8 | 0.01 | Oct 5, 2021 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The… |
- risk 0.50cvss 8.8epss 0.00
Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly…
- risk 0.50cvss 8.8epss 0.01
Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.3.
- risk 0.50cvss 8.8epss 0.00
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was…
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
- risk 0.50cvss 8.8epss 0.01
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for…
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- risk 0.50cvss 8.8epss 0.01
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
- risk 0.50cvss 8.8epss 0.01
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.00
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
- risk 0.50cvss 8.8epss 0.01
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The…