VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 99 of 286
  • CVE-2024-5676MedJun 19, 2024
    risk 0.44cvss 6.8epss 0.00

    The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system.

  • CVE-2023-49965MedApr 5, 2024
    risk 0.44cvss 6.8epss 0.00

    SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ssid and password parameters on the Setup Page.

  • CVE-2022-0088HigApr 3, 2022
    risk 0.44cvss 7.4epss 0.02

    Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.

  • CVE-2020-15135MedAug 4, 2020
    risk 0.44cvss 6.7epss 0.01

    save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing…

  • CVE-2018-10224MedApr 19, 2018
    risk 0.44cvss 6.8epss 0.01

    An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html.

  • CVE-2018-10223MedApr 19, 2018
    risk 0.44cvss 6.8epss 0.01

    An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html.

  • CVE-2018-5073MedJan 3, 2018
    risk 0.44cvss 6.8epss 0.00

    Online Ticket Booking has CSRF via admin/movieedit.php.

  • CVE-2017-17982MedDec 30, 2017
    risk 0.44cvss 6.8epss 0.00

    PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.

  • CVE-2017-17830MedDec 21, 2017
    risk 0.44cvss 6.8epss 0.00

    Bus Booking Script has CSRF via admin/new_master.php.

  • CVE-2017-1000147MedNov 3, 2017
    risk 0.44cvss 6.8epss 0.00

    Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading…

  • CVE-2009-4139MedJul 27, 2011
    risk 0.44cvss 6.8epss 0.01

    A flaw was found in Spacewalk Java site packages. This cross-site request forgery (CSRF) vulnerability allows a remote attacker to hijack the authentication of arbitrary users. This can lead to unauthorized actions, including disabling user accounts, adding new user accounts, or…

  • CVE-2025-27792HigMar 11, 2025
    risk 0.43cvss epss 0.00

    Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns…

  • CVE-2018-6940MedFeb 20, 2018
    risk 0.43cvss 6.1epss 0.03

    A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.

  • CVE-2026-11270MedJun 5, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-11214MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11200MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11195MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11194MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11148MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11139MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)