CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,836 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 35 of 177
- CVE-2019-1003022MEDIUMCVSS 6.5EG 6.52019-02-06
A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.
- CVE-2019-1003044HIGHCVSS 7.1EG 7.12019-03-28
A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing c…
- CVE-2019-1003046MEDIUMCVSS 6.5EG 6.52019-03-28
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003058MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003076MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003078MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003080MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified ser…
- CVE-2019-1003082MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003084MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003086MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003090MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003092MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-1003098MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-10057MEDIUMCVSS 6.5EG 6.52019-08-28
Various Lexmark products have CSRF.
- CVE-2019-1010054HIGHCVSS 8.8EG 8.82019-07-18
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable a…
- CVE-2019-1010094HIGHCVSS 8.8EG 8.82019-07-18
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php ht…
- CVE-2019-1010095HIGHCVSS 8.8EG 8.82019-07-18
DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: admin/users/add.php. The attack vector is: After the administrator …
- CVE-2019-1010096HIGHCVSS 8.8EG 8.82019-07-18
DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: admin/users/edit.php?uid=2. The attack vector is: After the ad…
- CVE-2019-1010112HIGHCVSS 8.8EG 8.82019-07-18
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed v…
- CVE-2019-10176MEDIUMCVSS 4.2EG 5.42019-08-02
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the valu…
- CVE-2019-10186HIGHCVSS 8.8EG 8.82019-07-31
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
- CVE-2019-10199HIGHCVSS 8.8EG 8.82019-08-14
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted dom…
- CVE-2019-10237HIGHCVSS 8.8EG 8.82019-03-27
S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via the 4.edu.php/admin/ajax.php?type=admin&action=add&lang=0 URI, a related issue to CVE-2019-9040.
- CVE-2019-10253MEDIUMCVSS 6.5EG 6.52019-09-09
A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/…
- CVE-2019-10278MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-10289MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers to initiate a connection to an attacker-specified…
- CVE-2019-10292MEDIUMCVSS 6.5EG 6.52019-04-04
A cross-site request forgery vulnerability in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-10300HIGHCVSS 8.0EG 8.02019-04-18
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified…
- CVE-2019-10304MEDIUMCVSS 6.5EG 6.52019-04-18
A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.
- CVE-2019-10307MEDIUMCVSS 6.5EG 6.52019-04-30
A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for…
- CVE-2019-10310HIGHCVSS 8.8EG 8.82019-04-30
A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an at…
- CVE-2019-10315HIGHCVSS 8.8EG 8.82019-04-30
Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF.
- CVE-2019-10321MEDIUMCVSS 4.3EG 6.52019-05-31
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-…
- CVE-2019-10324MEDIUMCVSS 6.5EG 6.52019-05-31
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attacke…
- CVE-2019-10326MEDIUMCVSS 4.3EG 4.32019-05-31
A cross-site request forgery vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attackers to reset warning counts for future builds.
- CVE-2019-10331MEDIUMCVSS 4.3EG 4.32019-06-11
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10338HIGHCVSS 8.8EG 8.82019-06-11
A cross-site request forgery vulnerability in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed attackers to have Jenkins connect to an attacker-specified Kubernetes server, potentially le…
- CVE-2019-10340HIGHCVSS 8.8EG 8.82019-07-11
A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified cred…
- CVE-2019-10353HIGHCVSS 7.5EG 7.52019-07-17
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
- CVE-2019-10359MEDIUMCVSS 6.3EG 6.32019-07-31
A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.
- CVE-2019-10368HIGHCVSS 8.8EG 8.82019-08-07
A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to…
- CVE-2019-10384HIGHCVSS 8.8EG 8.82019-08-28
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
- CVE-2019-10386HIGHCVSS 8.8EG 8.82019-08-07
A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specifi…
- CVE-2019-10388MEDIUMCVSS 4.3EG 4.32019-08-07
A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.
- CVE-2019-10408MEDIUMCVSS 4.3EG 4.32019-09-25
A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.
- CVE-2019-10437HIGHCVSS 8.8EG 8.82019-10-16
A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,…
- CVE-2019-10441MEDIUMCVSS 4.3EG 4.32019-10-16
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10454MEDIUMCVSS 4.3EG 4.32019-10-16
A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10456MEDIUMCVSS 4.3EG 4.32019-10-16
A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10462HIGHCVSS 8.1EG 8.12019-10-23
A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →