CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 57 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-12540 | — | Hig | 0.50 | 8.8 | 0.02 | Jul 12, 2018 | In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet. | |
| CVE-2016-10522 | — | Hig | 0.50 | 8.8 | 0.01 | Jul 5, 2018 | rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem. | |
| CVE-2018-11406 | — | Hig | 0.50 | 8.8 | 0.01 | Jun 13, 2018 | An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled… | |
| CVE-2014-0594 | Hig | 0.50 | 8.8 | 0.01 | Jun 8, 2018 | In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent. | ||
| CVE-2018-9856 | — | Hig | 0.50 | 8.8 | 0.01 | Apr 9, 2018 | Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request. | |
| CVE-2018-1098 | — | Hig | 0.50 | 8.8 | 0.01 | Apr 3, 2018 | A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST… | |
| CVE-2018-1000086 | — | Hig | 0.50 | 8.8 | 0.01 | Mar 13, 2018 | NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution.… | |
| CVE-2018-6009 | — | Hig | 0.50 | 8.8 | 0.01 | Jan 22, 2018 | In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | |
| CVE-2014-0120 | Hig | 0.50 | 8.8 | 0.01 | Dec 29, 2017 | Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f." | ||
| CVE-2017-12631 | Hig | 0.50 | 8.8 | 0.02 | Nov 30, 2017 | Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The… | ||
| CVE-2015-5170 | Hig | 0.50 | 8.8 | 0.01 | Oct 24, 2017 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF… | ||
| CVE-2014-3709 | Hig | 0.50 | 8.8 | 0.01 | Oct 18, 2017 | The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | ||
| CVE-2017-15063 | Hig | 0.50 | 8.8 | 0.01 | Oct 6, 2017 | There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to… | ||
| CVE-2017-14683 | Hig | 0.50 | 8.8 | 0.01 | Sep 25, 2017 | geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload. | ||
| CVE-2015-5395 | Hig | 0.50 | 8.8 | 0.01 | Sep 20, 2017 | Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. | ||
| CVE-2015-5607 | Hig | 0.50 | 8.8 | 0.01 | Sep 20, 2017 | Cross-site request forgery in the REST API in IPython 2 and 3. | ||
| CVE-2015-4619 | Hig | 0.50 | 8.8 | 0.01 | Sep 7, 2017 | Cross-site request forgery (CSRF) vulnerability in Spina before commit bfe44f289e336f80b6593032679300c493735e75. | ||
| CVE-2015-5081 | Hig | 0.50 | 8.8 | 0.01 | Aug 18, 2017 | Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors. | ||
| CVE-2017-1000069 | Hig | 0.50 | 8.8 | 0.01 | Jul 17, 2017 | CSRF in Bitly oauth2_proxy 2.1 during authentication flow | ||
| CVE-2015-1786 | Hig | 0.50 | 8.8 | 0.01 | Jun 8, 2017 | Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers. |
- risk 0.50cvss 8.8epss 0.02
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.
- risk 0.50cvss 8.8epss 0.01
rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.
- risk 0.50cvss 8.8epss 0.01
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled…
- risk 0.50cvss 8.8epss 0.01
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.
- risk 0.50cvss 8.8epss 0.01
Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request.
- risk 0.50cvss 8.8epss 0.01
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST…
- risk 0.50cvss 8.8epss 0.01
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution.…
- risk 0.50cvss 8.8epss 0.01
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."
- risk 0.50cvss 8.8epss 0.02
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The…
- risk 0.50cvss 8.8epss 0.01
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF…
- risk 0.50cvss 8.8epss 0.01
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
- risk 0.50cvss 8.8epss 0.01
There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to…
- risk 0.50cvss 8.8epss 0.01
geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery in the REST API in IPython 2 and 3.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in Spina before commit bfe44f289e336f80b6593032679300c493735e75.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.
- risk 0.50cvss 8.8epss 0.01
CSRF in Bitly oauth2_proxy 2.1 during authentication flow
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework 2.3.x before 2.3.6 via null or malformed token identifiers.