CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,836 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 26 of 177
- CVE-2018-10031HIGHCVSS 8.8EG 8.82018-04-11
CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
- CVE-2018-10048HIGHCVSS 8.8EG 8.82018-04-11
iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Admin Panel.
- CVE-2018-10099MEDIUMCVSS 5.3EG 5.32018-11-20
Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive infor…
- CVE-2018-10117HIGHCVSS 8.8EG 8.82018-04-16
An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.
- CVE-2018-10127HIGHCVSS 8.8EG 8.82018-04-16
An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g=Manage&m=Rbac&a=addUser request, resulting in addition of an account with the administrator role.
- CVE-2018-10132HIGHCVSS 8.8EG 8.82018-04-16
PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backurl=/index.php request, resulting in PHP code injection in the recontent parameter.
- CVE-2018-10137HIGHCVSS 8.8EG 8.82018-04-16
iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the Admin Panel via the /cms?section=manage_settings&action=edit URI.
- CVE-2018-10166HIGHCVSS 8.8EG 8.82018-05-03
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authent…
- CVE-2018-10185HIGHCVSS 8.8EG 8.82018-04-17
An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call.
- CVE-2018-10188HIGHCVSS 8.8EG 8.82018-04-19
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php.
- CVE-2018-10222HIGHCVSS 8.8EG 8.82018-04-19
An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulnerability that can add a Column via /admincp.php?app=article_category&do=save&frame=iPHP.
- CVE-2018-10223MEDIUMCVSS 6.8EG 6.82018-04-19
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html.
- CVE-2018-10224MEDIUMCVSS 6.8EG 6.82018-04-19
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html.
- CVE-2018-10232MEDIUMCVSS 6.5EG 6.52018-07-11
Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05.017 (June 2018 version) and before 5.7.SR9 allows remote attackers to hijack the authentication of authenticated users for requests that can obtain sensitive informatio…
- CVE-2018-10233HIGHCVSS 8.8EG 8.82018-04-23
The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin.
- CVE-2018-10248MEDIUMCVSS 6.5EG 6.52018-04-20
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete.
- CVE-2018-10249HIGHCVSS 8.8EG 8.82018-04-20
baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name=manager&do=user to add an administrator account.
- CVE-2018-10265HIGHCVSS 8.8EG 8.82018-04-22
An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerability that can add an administrator account via the admin/index.php/users/save URI.
- CVE-2018-10266HIGHCVSS 8.8EG 8.82018-04-22
BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user URI.
- CVE-2018-10267HIGHCVSS 8.8EG 8.82018-04-22
WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI.
- CVE-2018-10295HIGHCVSS 8.8EG 8.82018-04-22
ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.
- CVE-2018-10312HIGHCVSS 8.8EG 8.82018-04-24
index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.
- CVE-2018-10503HIGHCVSS 8.8EG 8.82018-04-27
An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. CSRF allows adding an administrator account via op=edituser, changing the administrator password via op=changepwd, or deleting an account via op=deleteuser.
- CVE-2018-10554MEDIUMCVSS 5.4EG 5.42018-04-30
An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable via CSRF in (1) the Schedule New Report screen via the hour, minute, or ampm parameter, related to components/scheduledreporting; (2) includes/components/xicore/downtime…
- CVE-2018-10696HIGHCVSS 8.8EG 8.82019-06-07
An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an …
- CVE-2018-10758MEDIUMCVSS 6.5EG 6.52018-05-05
The edit/ URI in Datenstrom Yellow 0.7.3 has CSRF via a delete action that can delete articles.
- CVE-2018-10803MEDIUMCVSS 6.1EG 6.12018-05-10
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted descripti…
- CVE-2018-10806MEDIUMCVSS 5.4EG 5.42018-05-08
An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross Site Scripting Vulnerability via the file[current_name] parameter to the admin/?/plugin/file_manager/rename URI. This can be used in conjunction with CSRF.
- CVE-2018-10884HIGHCVSS 8.8EG 8.82018-08-22
Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijack…
- CVE-2018-10895CRITICALCVSS 9.3EG 9.32018-07-12
qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access 'qute://*' URLs. A malicious website could exploit this to load a 'qute://settings/set' URL, which then sets 'editor.command…
- CVE-2018-10899HIGHCVSS 8.1EG 8.12019-08-01
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could resul…
- CVE-2018-10957HIGHCVSS 8.8EG 8.82018-05-10
CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components.
- CVE-2018-1098HIGHCVSS 8.8EG 8.82018-04-03
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't…
- CVE-2018-10986HIGHCVSS 8.8EG 8.82019-07-03
OX Guard 2.8.0 has CSRF.
- CVE-2018-11003MEDIUMCVSS 6.5EG 6.52018-05-12
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.
- CVE-2018-11004HIGHCVSS 8.8EG 8.82018-05-12
An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.
- CVE-2018-11018HIGHCVSS 8.8EG 8.82018-05-13
An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery (CSRF) vulnerability in apps/admin/controller/system/RoleController.php allows remote attackers to add administrator accounts via admin.php/role/add.html.
- CVE-2018-11092MEDIUMCVSS 6.5EG 6.52018-05-21
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
- CVE-2018-11096MEDIUMCVSS 6.5EG 6.52018-05-21
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
- CVE-2018-11126HIGHCVSS 8.8EG 8.82018-05-15
dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account.
- CVE-2018-11127MEDIUMCVSS 6.5EG 6.52018-05-15
e107 2.1.7 has CSRF resulting in arbitrary user deletion.
- CVE-2018-11349HIGHCVSS 8.8EG 8.82018-07-07
The administration panel of Jirafeau before 3.4.1 is vulnerable to three CSRF attacks on search functionalities: search_by_name, search_by_hash, and search_link.
- CVE-2018-11371HIGHCVSS 8.8EG 8.82018-05-22
SkyCaiji 1.2 allows CSRF to add an Administrator user.
- CVE-2018-11405HIGHCVSS 8.8EG 8.82018-05-24
Kliqqi 2.0.2 has CSRF in admin/admin_users.php.
- CVE-2018-11406HIGHCVSS 8.8EG 8.82018-06-13
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged o…
- CVE-2018-11427HIGHCVSS 8.8EG 8.82019-07-03
CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.
- CVE-2018-11442HIGHCVSS 8.8EG 8.82018-05-25
A CSRF issue was discovered in EasyService Billing 1.0, which was triggered via a quotation-new3-new2.php?add=true&id= URI, as demonstrated by adding a new quotation.
- CVE-2018-11445HIGHCVSS 8.8EG 8.82018-05-25
A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role.
- CVE-2018-11447HIGHCVSS 8.8EG 8.82018-06-26
A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful ex…
- CVE-2018-11448MEDIUMCVSS 4.8EG 4.82018-06-26
A vulnerability has been identified in SCALANCE M875 (All versions). The web interface on port 443/tcp could allow a stored Cross-Site Scripting (XSS) attack if an unsuspecting user is tricked into accessing a malicious link. Successful ex…
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →