CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 59 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-40815 | Hig | 0.49 | 7.5 | 0.01 | Jul 29, 2024 | A race condition was addressed with additional validation. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, tvOS 17.6, watchOS 10.6. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer… | ||
| CVE-2024-5551 | Hig | 0.49 | 7.5 | 0.00 | Jun 14, 2024 | The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin… | ||
| CVE-2024-32693 | Hig | 0.49 | 7.6 | 0.00 | Apr 22, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in ValvePress Automatic.This issue affects Automatic: from n/a before 3.93.0. | ||
| CVE-2024-31503 | Hig | 0.49 | 7.5 | 0.00 | Apr 17, 2024 | Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover. | ||
| CVE-2023-45141 | Hig | 0.49 | 8.6 | 0.00 | Oct 16, 2023 | Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions… | ||
| CVE-2022-24879 | Hig | 0.49 | 7.5 | 0.01 | Apr 28, 2022 | Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is… | ||
| CVE-2021-23404 | — | Hig | 0.49 | 7.6 | 0.00 | Sep 8, 2021 | This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a… | |
| CVE-2021-33338 | — | Hig | 0.49 | 7.5 | 0.00 | Aug 4, 2021 | The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the… | |
| CVE-2020-4040 | — | Hig | 0.49 | 8.6 | 0.02 | Jun 8, 2020 | Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF… | |
| CVE-2018-8718 | — | Hig | 0.49 | 8.0 | 0.07 | Mar 27, 2018 | Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request. | |
| CVE-2017-12415 | Hig | 0.49 | 7.5 | 0.01 | Feb 20, 2018 | OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition… | ||
| CVE-2017-4928 | Hig | 0.49 | 7.5 | 0.01 | Nov 17, 2017 | The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with… | ||
| CVE-2017-1000092 | Hig | 0.49 | 7.5 | 0.01 | Oct 5, 2017 | Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a… | ||
| CVE-2017-12439 | Hig | 0.49 | 7.5 | 0.01 | Aug 5, 2017 | SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and… | ||
| CVE-2017-9062 | Hig | 0.49 | 8.6 | 0.02 | May 18, 2017 | In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | ||
| CVE-2017-6379 | Hig | 0.49 | 7.5 | 0.01 | Mar 16, 2017 | Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. | ||
| CVE-2017-5169 | Hig | 0.49 | 7.5 | 0.01 | Feb 13, 2017 | An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By… | ||
| CVE-2017-5165 | Hig | 0.49 | 7.6 | 0.01 | Feb 13, 2017 | An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device… | ||
| CVE-2016-1139 | Hig | 0.49 | 7.5 | 0.01 | Jan 30, 2016 | Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | ||
| CVE-2015-7936 | Hig | 0.49 | 7.5 | 0.01 | Dec 23, 2015 | Cross-site request forgery (CSRF) vulnerability in Motorola Solutions MOSCAD IP Gateway allows remote attackers to hijack the authentication of administrators for requests that modify a password. |
- risk 0.49cvss 7.5epss 0.01
A race condition was addressed with additional validation. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, tvOS 17.6, watchOS 10.6. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer…
- risk 0.49cvss 7.5epss 0.00
The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin…
- risk 0.49cvss 7.6epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ValvePress Automatic.This issue affects Automatic: from n/a before 3.93.0.
- risk 0.49cvss 7.5epss 0.00
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.
- risk 0.49cvss 8.6epss 0.00
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions…
- risk 0.49cvss 7.5epss 0.01
Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is…
- risk 0.49cvss 7.6epss 0.00
This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a…
- risk 0.49cvss 7.5epss 0.00
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the…
- risk 0.49cvss 8.6epss 0.02
Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF…
- risk 0.49cvss 8.0epss 0.07
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
- risk 0.49cvss 7.5epss 0.01
OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x before 4.10.5 (maintenance), and 4.9.x before 4.9.10 (legacy), Enterprise Edition before 6.0.0 RC2 (development), 5.2.x before 5.2.10 (legacy), and 5.3.x before 5.3.5 (maintenance), and Professional Edition…
- risk 0.49cvss 7.5epss 0.01
The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with…
- risk 0.49cvss 7.5epss 0.01
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a…
- risk 0.49cvss 7.5epss 0.01
SocuSoft Flash Slideshow Maker Professional through v5.20, when the advanced configuration is used, has an xml_path HTTP parameter that trusts user-supplied input, in conjunction with an unsafe XML configuration file. This has resultant content forgery, cross site scripting, and…
- risk 0.49cvss 8.6epss 0.02
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
- risk 0.49cvss 7.5epss 0.01
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By…
- risk 0.49cvss 7.6epss 0.01
An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device…
- risk 0.49cvss 7.5epss 0.01
Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- risk 0.49cvss 7.5epss 0.01
Cross-site request forgery (CSRF) vulnerability in Motorola Solutions MOSCAD IP Gateway allows remote attackers to hijack the authentication of administrators for requests that modify a password.