CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,836 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 32 of 177
- CVE-2018-20582HIGHCVSS 8.8EG 8.82019-10-11
The GREE+ (aka com.gree.greeplus) application 1.4.0.8 for Android suffers from Cross Site Request Forgery.
- CVE-2018-20595HIGHCVSS 8.8EG 8.82018-12-30
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is s…
- CVE-2018-20598HIGHCVSS 8.8EG 8.82018-12-30
UCMS 1.4.7 has ?do=user_addpost CSRF.
- CVE-2018-20603HIGHCVSS 8.8EG 8.82018-12-30
Lei Feng TV CMS (aka LFCMS) 3.8.6 allows admin.php?s=/Member/add.html CSRF.
- CVE-2018-20612HIGHCVSS 8.8EG 8.82018-12-30
UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSRF.
- CVE-2018-20613HIGHCVSS 8.8EG 8.82018-12-30
TEMMOKU T1.09 Beta allows admin/user/add CSRF.
- CVE-2018-20633HIGHCVSS 8.8EG 8.82019-03-21
PHP Scripts Mall Advance B2B Script 2.1.4 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature.
- CVE-2018-20641HIGHCVSS 8.8EG 8.82019-03-21
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has Cross-Site Request Forgery (CSRF) via the Edit Profile feature.
- CVE-2018-20644HIGHCVSS 8.8EG 8.82019-03-21
PHP Scripts Mall Basic B2B Script 2.0.9 has Cross-Site Request Forgery (CSRF) via the Edit profile feature.
- CVE-2018-20648HIGHCVSS 8.8EG 8.82019-03-21
PHP Scripts Mall Car Rental Script 2.0.8 has Cross-Site Request Forgery (CSRF) via accountedit.php.
- CVE-2018-20728HIGHCVSS 8.8EG 8.82019-01-17
A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp3 allows remote attackers to escalate privileges via User-Management.php.
- CVE-2018-20780HIGHCVSS 8.8EG 8.82019-02-11
Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka group_id=1).
- CVE-2018-20816MEDIUMCVSS 6.1EG 6.12019-04-05
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can r…
- CVE-2018-20848HIGHCVSS 8.8EG 8.82019-06-30
Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and en/achat/caddie_affichage.php, as demonstrated by an XSS payload in the couleurId[0] parameter to the latter.
- CVE-2018-20872MEDIUMCVSS 6.5EG 6.52019-07-31
DrayTek routers before 2018-05-23 allow CSRF attacks to change DNS or DHCP settings, a related issue to CVE-2017-11649.
- CVE-2018-20964HIGHCVSS 8.8EG 8.82019-08-13
The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.
- CVE-2018-20967HIGHCVSS 8.8EG 8.82019-08-14
The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
- CVE-2018-20968HIGHCVSS 8.8EG 8.82019-08-14
The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF.
- CVE-2018-20971HIGHCVSS 8.8EG 8.82019-08-16
The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.
- CVE-2018-20972HIGHCVSS 8.8EG 8.82019-08-16
The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.
- CVE-2018-20974HIGHCVSS 8.8EG 8.82019-08-16
The js-jobs plugin before 1.0.7 for WordPress has CSRF.
- CVE-2018-21002HIGHCVSS 8.8EG 8.82019-08-27
The js-support-ticket plugin before 2.0.6 for WordPress has CSRF.
- CVE-2018-21006HIGHCVSS 8.8EG 8.82019-08-27
The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF.
- CVE-2018-21037HIGHCVSS 8.8EG 8.82020-03-17
Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.
- CVE-2018-21096HIGHCVSS 7.4EG 7.42020-04-27
Certain NETGEAR devices are affected by CSRF. This affects WAC120 before 2.1.7, WAC505 before 5.0.5.4, WAC510 before 5.0.5.4, WNAP320 before 3.7.11.4, WNAP210v2 before 3.7.11.4, WNDAP350 before 3.7.11.4, WNDAP360 before 3.7.11.4, WNDAP660 …
- CVE-2018-21102HIGHCVSS 8.8EG 8.82020-04-23
NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.
- CVE-2018-21120HIGHCVSS 8.0EG 8.02020-04-22
Certain NETGEAR devices are affected by CSRF. This affects WAC120 before 2.1.7, WAC505 before 5.0.5.4, WAC510 before 5.0.5.4, WNAP320 before 3.7.11.4, WNAP210v2 before 3.7.11.4, WNDAP350 before 3.7.11.4, WNDAP360 before 3.7.11.4, WNDAP660 …
- CVE-2018-21160HIGHCVSS 8.8EG 8.82020-04-23
NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF.
- CVE-2018-2442HIGHCVSS 8.8EG 8.82018-08-14
In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user se…
- CVE-2018-2474MEDIUMCVSS 6.5EG 6.52018-10-09
SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection.
- CVE-2018-25096MEDIUMCVSS 4.3EG 4.32023-12-30
A vulnerability was found in MdAlAmin-aol Own Health Record 0.1-alpha/0.2-alpha/0.3-alpha/0.3.1-alpha. It has been rated as problematic. This issue affects some unknown processing of the file includes/logout.php. The manipulation leads to …
- CVE-2018-25127MEDIUMCVSS 5.3EG 5.32025-12-24
SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged req…
- CVE-2018-25133MEDIUMCVSS 4.3EG 4.32025-12-24
Synaccess netBooter NP-0801DU 7.4 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages with hidden form submi…
- CVE-2018-25149MEDIUMCVSS 6.5EG 4.32025-12-24
Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new user…
- CVE-2018-25150MEDIUMCVSS 5.3EG 5.32025-12-24
Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a…
- CVE-2018-25151MEDIUMCVSS 4.3EG 4.32025-12-24
Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form…
- CVE-2018-25152MEDIUMCVSS 5.3EG 5.32025-12-24
Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to…
- CVE-2018-25155MEDIUMCVSS 4.3EG 5.32025-12-24
Teradek Slice 7.3.15 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page that automatically submits passwo…
- CVE-2018-25156MEDIUMCVSS 4.3EG 5.32025-12-24
Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit passwo…
- CVE-2018-25170HIGHCVSS 8.2EG 8.22026-03-06
DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. Attackers can send GET requests to the lesson.php end…
- CVE-2018-25174MEDIUMCVSS 5.3EG 5.32026-03-06
ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing pa…
- CVE-2018-25176HIGHCVSS 8.2EG 8.22026-03-06
Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbit…
- CVE-2018-25177MEDIUMCVSS 5.3EG 5.32026-03-06
Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. Attackers can send requests to dca_resetpw.php w…
- CVE-2018-25298MEDIUMCVSS 5.3EG 5.32026-04-29
Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/a…
- CVE-2018-25310MEDIUMCVSS 4.3EG 4.32026-04-29
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web m…
- CVE-2018-25321MEDIUMCVSS 4.3EG 4.32026-05-17
TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via V…
- CVE-2018-25327MEDIUMCVSS 5.3EG 5.32026-05-17
Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoin…
- CVE-2018-25334MEDIUMCVSS 5.4EG 5.42026-05-17
Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag paramet…
- CVE-2018-25336MEDIUMCVSS 5.3EG 5.32026-05-17
jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change us…
- CVE-2018-25337MEDIUMCVSS 4.3EG 4.32026-05-17
Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML forms targeting account endpoints like /jo…
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →