VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 58 of 286
  • CVE-2017-9064HigMay 18, 2017
    risk 0.50cvss 8.8epss 0.02

    In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.

  • CVE-2017-7662HigMay 16, 2017
    risk 0.50cvss 8.8epss 0.01

    Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web…

  • CVE-2016-0720HigApr 21, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.

  • CVE-2016-3734HigApr 20, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.

  • CVE-2015-8814HigMar 3, 2017
    risk 0.50cvss 8.8epss 0.01

    Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file.

  • CVE-2017-5489HigJan 15, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

  • CVE-2016-6801HigSep 21, 2016
    risk 0.50cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to…

  • CVE-2016-1607HigAug 1, 2016
    risk 0.50cvss 7.2epss 0.03

    Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settings via a vaconfig/time…

  • CVE-2016-2157HigMay 22, 2016
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests…

  • CVE-2015-5338HigFeb 22, 2016
    risk 0.50cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1)…

  • CVE-2015-7538HigFeb 3, 2016
    risk 0.50cvss 8.8epss 0.02

    Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

  • CVE-2015-7537HigFeb 3, 2016
    risk 0.50cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

  • CVE-2015-8379HigJan 26, 2016
    risk 0.50cvss 8.8epss 0.01

    CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.

  • CVE-2026-11265HigJun 5, 2026
    risk 0.49cvss 7.5epss 0.00

    Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-34896HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1.

  • CVE-2025-62771HigOct 22, 2025
    risk 0.49cvss 7.5epss 0.00

    Mercku M6a devices through 2.1.0 allow password changes via intranet CSRF attacks.

  • CVE-2025-54052HigAug 20, 2025
    risk 0.49cvss 7.5epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows PHP Local File Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through <= 5.0.0.

  • CVE-2025-24289HigJun 29, 2025
    risk 0.49cvss 7.5epss 0.00

    A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default.

  • CVE-2025-2111HigApr 19, 2025
    risk 0.49cvss 7.5epss 0.00

    The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for…

  • CVE-2025-24900HigFeb 11, 2025
    risk 0.49cvss 8.6epss 0.00

    Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Due to a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, there is a vulnerability that allows MediaProxy authentication to be bypassed. In…