CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,836 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 28 of 177
- CVE-2018-13793HIGHCVSS 8.8EG 8.82018-07-09
Multiple Cross Site Request Forgery (CSRF) vulnerabilities in the HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 exist in Web Verification, Web Scanning, Web Capture, Monitoring and Administration, and Login.
- CVE-2018-13800HIGHCVSS 7.3EG 7.32018-10-10
A vulnerability has been identified in SIMATIC S7-1200 CPU family version 4 (All versions < V4.2.3). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious lin…
- CVE-2018-13810MEDIUMCVSS 6.5EG 6.52019-04-17
A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tri…
- CVE-2018-13989HIGHCVSS 8.8EG 8.82018-07-11
Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device.
- CVE-2018-13993HIGHCVSS 8.8EG 8.82019-05-07
The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 to 1.34 is prone to CSRF.
- CVE-2018-14014HIGHCVSS 8.8EG 8.82018-07-12
In waimai Super Cms 20150505, there is a CSRF vulnerability that can add an admin account via admin.php?m=Member&a=adminadd.
- CVE-2018-14029HIGHCVSS 8.8EG 8.82018-07-13
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account, as demonstrated by modifying the account's email field.
- CVE-2018-14057HIGHCVSS 8.8EG 8.82018-08-17
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
- CVE-2018-14068HIGHCVSS 8.8EG 8.82018-07-15
An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add an admin account via admin.php?m=Admin&c=manager&a=add.
- CVE-2018-14069HIGHCVSS 8.8EG 8.82018-07-15
An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add a user account via admin.php?m=Admin&c=member&a=add.
- CVE-2018-1432MEDIUMCVSS 6.1EG 6.12018-06-05
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML iframe tag on a malicious page. The at…
- CVE-2018-14331HIGHCVSS 8.8EG 8.82018-07-17
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.
- CVE-2018-1434HIGHCVSS 8.8EG 8.82018-05-17
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery w…
- CVE-2018-1442MEDIUMCVSS 4.3EG 8.82018-03-08
IBM Application Performance Management - Response Time Monitoring Agent (IBM Monitoring 8.1.4) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user …
- CVE-2018-14420HIGHCVSS 8.8EG 8.82018-07-20
MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.
- CVE-2018-14421HIGHCVSS 8.8EG 8.82018-07-20
SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploi…
- CVE-2018-14519MEDIUMCVSS 4.3EG 4.32022-08-24
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
- CVE-2018-1455MEDIUMCVSS 4.3EG 8.82018-08-15
IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM …
- CVE-2018-14575HIGHCVSS 8.8EG 8.82019-03-21
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.
- CVE-2018-14582HIGHCVSS 8.8EG 8.82018-07-24
index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account.
- CVE-2018-14583HIGHCVSS 8.8EG 8.82018-07-24
xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account.
- CVE-2018-14603HIGHCVSS 8.8EG 8.82018-07-27
An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component.
- CVE-2018-14668HIGHCVSS 8.8EG 8.82019-08-15
In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.
- CVE-2018-14711MEDIUMCVSS 6.5EG 6.52019-05-13
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs.
- CVE-2018-14769HIGHCVSS 8.8EG 8.82018-09-05
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.
- CVE-2018-14783HIGHCVSS 8.8EG 8.82018-08-10
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.
- CVE-2018-1479HIGHCVSS 8.8EG 8.82018-04-27
IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 140761.
- CVE-2018-14892HIGHCVSS 8.8EG 8.82018-11-27
Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms.
- CVE-2018-14908HIGHCVSS 8.8EG 8.82018-08-03
Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every request, as demonstrated by sws.application/printinformation/printReportSetupView.sws for a "Print emails sent" action.
- CVE-2018-14910HIGHCVSS 8.8EG 8.82018-08-03
SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be ex…
- CVE-2018-14926HIGHCVSS 8.8EG 8.82018-08-03
Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/messageSend/messageSendHandler.jsp request.
- CVE-2018-14930HIGHCVSS 8.8EG 8.82019-04-30
An issue was discovered in the Armor module in Polaris FT Intellect Core Banking 9.7.1. CSRF can occur via a /CollatWebApp/gcmsRefInsert?name=SUPP URI.
- CVE-2018-14958HIGHCVSS 8.8EG 8.82018-08-05
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
- CVE-2018-14959HIGHCVSS 8.8EG 8.82018-08-05
An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.
- CVE-2018-14960HIGHCVSS 8.8EG 8.82018-08-06
Xiao5uCompany 1.7 has CSRF via admin/Admin.asp.
- CVE-2018-14963HIGHCVSS 8.8EG 8.82018-08-06
zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.
- CVE-2018-14965HIGHCVSS 8.8EG 8.82018-08-06
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF.
- CVE-2018-14966HIGHCVSS 8.8EG 8.82018-08-06
An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF.
- CVE-2018-14978HIGHCVSS 8.8EG 8.82018-08-06
An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/user/admin/add.html URI.
- CVE-2018-15121HIGHCVSS 8.8EG 8.82018-08-29
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during aut…
- CVE-2018-1514MEDIUMCVSS 4.3EG 8.82018-06-07
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-For…
- CVE-2018-15177HIGHCVSS 8.8EG 8.82018-08-08
In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can add an administrator account.
- CVE-2018-15186HIGHCVSS 8.8EG 8.82018-08-10
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF via client/auditor/updprofile.php.
- CVE-2018-15187HIGHCVSS 8.0EG 8.02018-08-10
PHP Scripts Mall advanced-real-estate-script 4.0.9 has CSRF via edit-profile.php.
- CVE-2018-15193HIGHCVSS 8.8EG 8.82018-08-08
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.
- CVE-2018-15197HIGHCVSS 8.8EG 8.82018-08-08
An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/AuthManager/addToGroup.html that can endow administrator privileges.
- CVE-2018-15198HIGHCVSS 8.8EG 8.82018-08-08
An issue was discovered in OneThink v1.1. There is a CSRF vulnerability in admin.php?s=/User/add.html that can add a user.
- CVE-2018-15202MEDIUMCVSS 6.3EG 6.32018-08-08
An issue was discovered in Juunan06 eCommerce through 2018-08-05. There is a CSRF vulnerability in ee/eBoutique/app/template/includes/crudTreatment.php that can add new users and add products.
- CVE-2018-15203MEDIUMCVSS 6.5EG 6.52018-08-08
An issue was discovered in Ignited CMS through 2017-02-19. ign/index.php/admin/pages/add_page allows a CSRF attack to add pages.
- CVE-2018-15206HIGHCVSS 8.8EG 8.82019-04-30
BPC SmartVista 2 has CSRF via SVFE2/pages/admpages/roles/createrole.jsf.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →