VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 7 of 286
  • CVE-2016-5809HigFeb 13, 2017
    risk 0.60cvss 8.8epss 0.02

    An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of…

  • CVE-2017-5473HigJan 14, 2017
    risk 0.60cvss 8.8epss 0.04

    Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.

  • CVE-2016-4808HigJan 11, 2017
    risk 0.60cvss 8.8epss 0.02

    Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to…

  • CVE-2015-4593HigJan 10, 2017
    risk 0.60cvss 8.8epss 0.03

    eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and…

  • CVE-2016-0891HigApr 20, 2016
    risk 0.60cvss 8.8epss 0.04

    Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.

  • CVE-2015-6541HigApr 8, 2016
    risk 0.60cvss 8.8epss 0.03

    Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to…

  • CVE-2015-5996HigDec 31, 2015
    risk 0.60cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability on Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 allows remote attackers to hijack the authentication of arbitrary users.

  • CVE-2009-3759HigOct 22, 2009
    risk 0.60cvss 8.8epss 0.02

    Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to…

  • CVE-2004-1842HigDec 31, 2004
    risk 0.60cvss 8.8epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.

  • CVE-2004-1703HigJul 30, 2004
    risk 0.60cvss 8.8epss 0.02

    Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag.

  • CVE-2025-69634CriFeb 12, 2026
    risk 0.59cvss 9.0epss 0.00

    Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token…

  • CVE-2024-40119HigJul 17, 2024
    risk 0.58cvss 8.8epss 0.01

    Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a…

  • CVE-2022-28108HigApr 19, 2022
    risk 0.58cvss 8.8epss 0.12

    Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

  • CVE-2020-5776HigSep 1, 2020
    risk 0.58cvss 8.8epss 0.15

    Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.

  • CVE-2018-6458HigMay 11, 2018
    risk 0.58cvss 8.8epss 0.10

    Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.

  • CVE-2015-5351HigFeb 25, 2016
    risk 0.58cvss 8.8epss 0.09

    The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a…

  • CVE-2026-44925HigMay 20, 2026
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations Manager (VIOM) allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user's…

  • CVE-2026-8604HigMay 19, 2026
    risk 0.57cvss 8.8epss 0.00

    In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

  • CVE-2021-47976HigMay 16, 2026
    risk 0.57cvss 8.8epss 0.00

    TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload…

  • CVE-2026-42289HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when…