VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 97 of 286
  • CVE-2021-32677HigJun 9, 2021
    risk 0.46cvss 8.2epss 0.01

    FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request…

  • CVE-2021-29435HigApr 13, 2021
    risk 0.46cvss 8.1epss 0.01

    trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session.…

  • CVE-2020-2321HigDec 3, 2020
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.

  • CVE-2020-25263HigOct 8, 2020
    risk 0.46cvss 7.1epss 0.01

    PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.

  • CVE-2020-16253HigAug 5, 2020
    risk 0.46cvss 8.1epss 0.00

    The PgHero gem through 2.6.0 for Ruby allows CSRF.

  • CVE-2019-10462HigOct 23, 2019
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2018-1000417HigJan 9, 2019
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates.

  • CVE-2018-1000414HigJan 9, 2019
    risk 0.46cvss 8.1epss 0.01

    A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions.

  • CVE-2018-8814MedApr 4, 2018
    risk 0.46cvss 6.5epss 0.03

    Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.

  • CVE-2014-4613MedMar 16, 2018
    risk 0.46cvss 6.5epss 0.03

    Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.

  • CVE-2017-1000504HigJan 24, 2018
    risk 0.46cvss 8.1epss 0.01

    A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins…

  • CVE-2016-1261HigOct 13, 2017
    risk 0.46cvss 7.1epss 0.00

    J-Web does not validate certain input that may lead to cross-site request forgery (CSRF) issues or cause a denial of J-Web service (DoS).

  • CVE-2017-6038HigJun 30, 2017
    risk 0.46cvss 7.1epss 0.00

    A Cross-Site Request Forgery issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. The web application does not sufficiently verify that requests were provided by the user who submitted the request.

  • CVE-2017-6914HigMar 15, 2017
    risk 0.46cvss 7.1epss 0.00

    CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.

  • CVE-2025-4375MedMay 9, 2025
    risk 0.45cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration…

  • CVE-2024-7035MedMar 20, 2025
    risk 0.45cvss 6.9epss 0.00

    In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks, where an unaware user can unintentionally perform…

  • CVE-2020-36836HigOct 16, 2024
    risk 0.45cvss 8.0epss 0.01

    The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal…

  • CVE-2024-34069HigMay 6, 2024
    risk 0.45cvss 7.5epss 0.03

    Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and…

  • CVE-2023-34927MedJun 22, 2023
    risk 0.45cvss 6.5epss 0.03

    Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

  • CVE-2022-41232HigSep 21, 2022
    risk 0.45cvss 8.0epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.