VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 59 of 286
  • CVE-2024-40815HigJul 29, 2024
    risk 0.49cvss 7.5epss 0.01

    A race condition was addressed with additional validation. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, tvOS 17.6, watchOS 10.6. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer…

  • CVE-2024-5551HigJun 14, 2024
    risk 0.49cvss 7.5epss 0.00

    The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin…

  • CVE-2024-32693HigApr 22, 2024
    risk 0.49cvss 7.6epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in ValvePress Automatic.This issue affects Automatic: from n/a before 3.93.0.

  • CVE-2024-31503HigApr 17, 2024
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

  • CVE-2023-45141HigOct 16, 2023
    risk 0.49cvss 8.6epss 0.00

    Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions…

  • CVE-2022-24879HigApr 28, 2022
    risk 0.49cvss 7.5epss 0.01

    Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is…

  • CVE-2021-23404HigSep 8, 2021
    risk 0.49cvss 7.6epss 0.00

    This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a…

  • CVE-2021-33338HigAug 4, 2021
    risk 0.49cvss 7.5epss 0.00

    The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the…

  • CVE-2020-4040HigJun 8, 2020
    risk 0.49cvss 8.6epss 0.02

    Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF…

  • CVE-2018-8718HigMar 27, 2018
    risk 0.49cvss 8.0epss 0.07

    Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.

  • CVE-2017-12415HigFeb 20, 2018
    risk 0.49cvss 7.5epss 0.01

    OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition…

  • CVE-2017-4928HigNov 17, 2017
    risk 0.49cvss 7.5epss 0.01

    The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with…

  • CVE-2017-1000092HigOct 5, 2017
    risk 0.49cvss 7.5epss 0.01

    Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a…

  • CVE-2017-12439HigAug 5, 2017
    risk 0.49cvss 7.5epss 0.01

    SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and…

  • CVE-2017-9062HigMay 18, 2017
    risk 0.49cvss 8.6epss 0.02

    In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.

  • CVE-2017-6379HigMar 16, 2017
    risk 0.49cvss 7.5epss 0.01

    Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

  • CVE-2017-5169HigFeb 13, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By…

  • CVE-2017-5165HigFeb 13, 2017
    risk 0.49cvss 7.6epss 0.01

    An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device…

  • CVE-2016-1139HigJan 30, 2016
    risk 0.49cvss 7.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2015-7936HigDec 23, 2015
    risk 0.49cvss 7.5epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Motorola Solutions MOSCAD IP Gateway allows remote attackers to hijack the authentication of administrators for requests that modify a password.