VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 55 of 286
  • CVE-2021-3819HigSep 27, 2021
    risk 0.50cvss 8.8epss 0.01

    firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-21679HigAug 31, 2021
    risk 0.50cvss 8.8epss 0.01

    Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

  • CVE-2021-21678HigAug 31, 2021
    risk 0.50cvss 8.8epss 0.01

    Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

  • CVE-2021-3734HigAug 26, 2021
    risk 0.50cvss 8.8epss 0.00

    yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames

  • CVE-2020-22403HigAug 12, 2021
    risk 0.50cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.

  • CVE-2020-13663HigJun 11, 2021
    risk 0.50cvss 8.8epss 0.01

    Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

  • CVE-2021-25931HigMay 20, 2021
    risk 0.50cvss 8.8epss 0.01

    In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no…

  • CVE-2021-21633HigMar 30, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

  • CVE-2021-21629HigMar 30, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

  • CVE-2021-21627HigMar 18, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.

  • CVE-2021-21617HigFeb 24, 2021
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.

  • CVE-2020-2241HigSep 1, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials.

  • CVE-2020-2240HigSep 1, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.

  • CVE-2019-20891HigJun 19, 2020
    risk 0.50cvss 8.8epss 0.01

    WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.

  • CVE-2017-18903HigJun 19, 2020
    risk 0.50cvss 8.8epss 0.00

    An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.

  • CVE-2020-2160HigMar 25, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

  • CVE-2019-19025HigMar 20, 2020
    risk 0.50cvss 8.8epss 0.01

    Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.

  • CVE-2019-12437HigFeb 19, 2020
    risk 0.50cvss 8.8epss 0.01

    In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,

  • CVE-2020-7965HigJan 29, 2020
    risk 0.50cvss 8.8epss 0.00

    flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST…

  • CVE-2020-2093HigJan 15, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.