CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

CWE-345

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (4,557)

page 67 of 228

CVE	Sev	Risk	CVSS	Published	Description
CVE-2024-31093	Hig	0.46	7.1	Apr 15, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Kaloyan K. Tsvetkov Broken Images allows Cross-Site Scripting (XSS).This issue affects Broken Images: from n/a through 0.2.
CVE-2024-31086	Hig	0.46	7.1	Apr 15, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Change default login logo,url and title allows Cross-Site Scripting (XSS).This issue affects Change default login logo,url and title: from n/a through 2.0.
CVE-2024-30545	Hig	0.46	7.1	Apr 15, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Nick Powers Social Author Bio allows Stored XSS.This issue affects Social Author Bio: from n/a through 2.4.
CVE-2024-31285	Hig	0.46	7.1	Apr 11, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Tooltip WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 9.5.3.
CVE-2024-2741	Hig	0.46	7.1	Apr 11, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. This vulnerability could allow a remote attacker to trick some authenticated users into performing actions in their session, such as adding or updating accounts through the Switch web interface.
CVE-2024-29019	Hig	0.46	8.1	Apr 11, 2024	ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5/ CVE-2024-27287 to obtain a complete takeover of the user account. Version 2024.3.0 contains a patch for this issue.
CVE-2024-31299	Hig	0.46	7.1	Apr 10, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Reservation Diary ReDi Restaurant Reservation allows Cross-Site Scripting (XSS).This issue affects ReDi Restaurant Reservation: from n/a through 24.0128.
CVE-2024-31109	Hig	0.46	7.1	Apr 2, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Toastie Studio Woocommerce Social Media Share Buttons allows Stored XSS.This issue affects Woocommerce Social Media Share Buttons: from n/a through 1.3.0.
CVE-2024-31105	Hig	0.46	7.1	Apr 2, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Adam Bowen Tax Rate Upload allows Reflected XSS.This issue affects Tax Rate Upload: from n/a through 2.4.5.
CVE-2024-29773	Hig	0.46	7.1	Mar 27, 2024	Cross-Site Request Forgery (CSRF) vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint allows Cross-Site Scripting (XSS).This issue affects BizPrint: from n/a through 4.5.5.
CVE-2023-39311	Hig	0.46	7.1	Mar 27, 2024	Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1.
CVE-2024-27968	Hig	0.46	7.1	Mar 21, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.
CVE-2024-27197	Hig	0.46	7.1	Mar 16, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Bee BeePress allows Stored XSS.This issue affects BeePress: from n/a through 6.9.8.
CVE-2024-27195	Hig	0.46	7.1	Mar 16, 2024	Cross-Site Request Forgery (CSRF) vulnerability in sverde1 Watermark RELOADED watermark-reloaded allows Cross Site Request Forgery.This issue affects Watermark RELOADED: from n/a through <= 1.3.5.
CVE-2024-27194	Hig	0.46	7.1	Mar 16, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Andrei Ivasiuc Fontific \| Google Fonts allows Stored XSS.This issue affects Fontific \| Google Fonts: from n/a through 0.1.6.
CVE-2024-21752	Hig	0.46	7.1	Feb 29, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Ernest Marcinko Ajax Search Lite allows Reflected XSS.This issue affects Ajax Search Lite: from n/a through 4.11.4.
CVE-2024-24843	Hig	0.46	7.1	Feb 21, 2024	Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8.
CVE-2024-0428	Hig	0.46	7.1	Feb 5, 2024	The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-22290	Hig	0.46	7.1	Jan 31, 2024	Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1.
CVE-2024-22287	Hig	0.46	7.1	Jan 31, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Luděk Melichar Better Anchor Links allows Cross-Site Scripting (XSS).This issue affects Better Anchor Links: from n/a through 1.7.5.

CVE-2024-31093HigApr 15, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Kaloyan K. Tsvetkov Broken Images allows Cross-Site Scripting (XSS).This issue affects Broken Images: from n/a through 0.2.
CVE-2024-31086HigApr 15, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Change default login logo,url and title allows Cross-Site Scripting (XSS).This issue affects Change default login logo,url and title: from n/a through 2.0.
CVE-2024-30545HigApr 15, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Nick Powers Social Author Bio allows Stored XSS.This issue affects Social Author Bio: from n/a through 2.4.
CVE-2024-31285HigApr 11, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Tooltip WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 9.5.3.
CVE-2024-2741HigApr 11, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. This vulnerability could allow a remote attacker to trick some authenticated users into performing actions in their session, such as adding or updating accounts through the Switch web interface.
CVE-2024-29019HigApr 11, 2024
risk 0.46cvss 8.1epss 0.00
ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5/ CVE-2024-27287 to obtain a complete takeover of the user account. Version 2024.3.0 contains a patch for this issue.
CVE-2024-31299HigApr 10, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Reservation Diary ReDi Restaurant Reservation allows Cross-Site Scripting (XSS).This issue affects ReDi Restaurant Reservation: from n/a through 24.0128.
CVE-2024-31109HigApr 2, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Toastie Studio Woocommerce Social Media Share Buttons allows Stored XSS.This issue affects Woocommerce Social Media Share Buttons: from n/a through 1.3.0.
CVE-2024-31105HigApr 2, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Adam Bowen Tax Rate Upload allows Reflected XSS.This issue affects Tax Rate Upload: from n/a through 2.4.5.
CVE-2024-29773HigMar 27, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint allows Cross-Site Scripting (XSS).This issue affects BizPrint: from n/a through 4.5.5.
CVE-2023-39311HigMar 27, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1.
CVE-2024-27968HigMar 21, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5.
CVE-2024-27197HigMar 16, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Bee BeePress allows Stored XSS.This issue affects BeePress: from n/a through 6.9.8.
CVE-2024-27195HigMar 16, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in sverde1 Watermark RELOADED watermark-reloaded allows Cross Site Request Forgery.This issue affects Watermark RELOADED: from n/a through <= 1.3.5.
CVE-2024-27194HigMar 16, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Andrei Ivasiuc Fontific | Google Fonts allows Stored XSS.This issue affects Fontific | Google Fonts: from n/a through 0.1.6.
CVE-2024-21752HigFeb 29, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Ernest Marcinko Ajax Search Lite allows Reflected XSS.This issue affects Ajax Search Lite: from n/a through 4.11.4.
CVE-2024-24843HigFeb 21, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8.
CVE-2024-0428HigFeb 5, 2024
risk 0.46cvss 7.1epss 0.00
The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-22290HigJan 31, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1.
CVE-2024-22287HigJan 31, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Luděk Melichar Better Anchor Links allows Cross-Site Scripting (XSS).This issue affects Better Anchor Links: from n/a through 1.7.5.