CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 55 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3819 | Hig | 0.50 | 8.8 | 0.01 | Sep 27, 2021 | firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||
| CVE-2021-21679 | Hig | 0.50 | 8.8 | 0.01 | Aug 31, 2021 | Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | ||
| CVE-2021-21678 | Hig | 0.50 | 8.8 | 0.01 | Aug 31, 2021 | Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | ||
| CVE-2021-3734 | Hig | 0.50 | 8.8 | 0.00 | Aug 26, 2021 | yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | ||
| CVE-2020-22403 | — | Hig | 0.50 | 8.8 | 0.01 | Aug 12, 2021 | Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts. | |
| CVE-2020-13663 | Hig | 0.50 | 8.8 | 0.01 | Jun 11, 2021 | Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. | ||
| CVE-2021-25931 | — | Hig | 0.50 | 8.8 | 0.01 | May 20, 2021 | In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no… | |
| CVE-2021-21633 | Hig | 0.50 | 8.8 | 0.01 | Mar 30, 2021 | A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | ||
| CVE-2021-21629 | Hig | 0.50 | 8.8 | 0.01 | Mar 30, 2021 | A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters. | ||
| CVE-2021-21627 | Hig | 0.50 | 8.8 | 0.01 | Mar 18, 2021 | A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains. | ||
| CVE-2021-21617 | Hig | 0.50 | 8.8 | 0.01 | Feb 24, 2021 | A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations. | ||
| CVE-2020-2241 | Hig | 0.50 | 8.8 | 0.01 | Sep 1, 2020 | A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials. | ||
| CVE-2020-2240 | Hig | 0.50 | 8.8 | 0.01 | Sep 1, 2020 | A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts. | ||
| CVE-2019-20891 | — | Hig | 0.50 | 8.8 | 0.01 | Jun 19, 2020 | WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | |
| CVE-2017-18903 | — | Hig | 0.50 | 8.8 | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. | |
| CVE-2020-2160 | Hig | 0.50 | 8.8 | 0.02 | Mar 25, 2020 | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. | ||
| CVE-2019-19025 | — | Hig | 0.50 | 8.8 | 0.01 | Mar 20, 2020 | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform. | |
| CVE-2019-12437 | — | Hig | 0.50 | 8.8 | 0.01 | Feb 19, 2020 | In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations, | |
| CVE-2020-7965 | — | Hig | 0.50 | 8.8 | 0.00 | Jan 29, 2020 | flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST… | |
| CVE-2020-2093 | Hig | 0.50 | 8.8 | 0.01 | Jan 15, 2020 | A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient. |
- risk 0.50cvss 8.8epss 0.01
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- risk 0.50cvss 8.8epss 0.01
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
- risk 0.50cvss 8.8epss 0.01
Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
- risk 0.50cvss 8.8epss 0.00
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames
- risk 0.50cvss 8.8epss 0.01
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
- risk 0.50cvss 8.8epss 0.01
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
- risk 0.50cvss 8.8epss 0.01
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no…
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin 1.51 and earlier allows attackers to apply different slice configurations.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
- risk 0.50cvss 8.8epss 0.01
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
- risk 0.50cvss 8.8epss 0.00
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
- risk 0.50cvss 8.8epss 0.02
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
- risk 0.50cvss 8.8epss 0.01
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
- risk 0.50cvss 8.8epss 0.01
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
- risk 0.50cvss 8.8epss 0.00
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST…
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.