VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 56 of 286
  • CVE-2020-2090HigJan 15, 2020
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

  • CVE-2019-16553HigDec 17, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression.

  • CVE-2019-16551HigDec 17, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials.

  • CVE-2019-16550HigDec 17, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

  • CVE-2019-16548HigNov 21, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents.

  • CVE-2011-4952HigNov 19, 2019
    risk 0.50cvss 8.8epss 0.01

    cobbler: Web interface lacks CSRF protection when using Django framework

  • CVE-2019-10471HigOct 23, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10437HigOct 16, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-16993HigSep 30, 2019
    risk 0.50cvss 8.8epss 0.01

    In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator…

  • CVE-2019-10384HigAug 28, 2019
    risk 0.50cvss 8.8epss 0.02

    Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

  • CVE-2019-7865HigAug 2, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration.

  • CVE-2019-10186HigJul 31, 2019
    risk 0.50cvss 8.8epss 0.01

    A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.

  • CVE-2019-13594HigJul 14, 2019
    risk 0.50cvss 8.8epss 0.01

    In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.

  • CVE-2019-10340HigJul 11, 2019
    risk 0.50cvss 8.8epss 0.01

    A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another…

  • CVE-2015-9284HigApr 26, 2019
    risk 0.50cvss 8.8epss 0.02

    The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary…

  • CVE-2019-10642HigApr 17, 2019
    risk 0.50cvss 8.8epss 0.01

    Contao 4.7 allows CSRF.

  • CVE-2017-18366HigApr 15, 2019
    risk 0.50cvss 8.8epss 0.01

    Subrion CMS 4.1.5 has CSRF in blog/delete/.

  • CVE-2017-17835HigJan 23, 2019
    risk 0.50cvss 8.8epss 0.01

    In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.

  • CVE-2018-20595HigDec 30, 2018
    risk 0.50cvss 8.8epss 0.01

    A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful.

  • CVE-2018-14603HigJul 27, 2018
    risk 0.50cvss 8.8epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.