CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,836 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 36 of 177
- CVE-2019-10464HIGHCVSS 8.8EG 8.82019-10-23
A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified…
- CVE-2019-10468HIGHCVSS 8.8EG 8.82019-10-23
A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing c…
- CVE-2019-10471HIGHCVSS 8.8EG 8.82019-10-23
A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials sto…
- CVE-2019-10642HIGHCVSS 8.8EG 8.82019-04-17
Contao 4.7 allows CSRF.
- CVE-2019-10644HIGHCVSS 8.8EG 8.82019-03-30
An issue was discovered in HYBBS 2.2. /?admin/user.html has a CSRF vulnerability that can add an administrator account.
- CVE-2019-10655CRITICALCVSS 9.8EG 9.82019-03-30
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat …
- CVE-2019-10673HIGHCVSS 8.8EG 8.82019-04-03
A CSRF vulnerability in a logged-in user's profile edit form in the Ultimate Member plugin before 2.0.40 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs …
- CVE-2019-10784CRITICALCVSS 9.6EG 9.62020-02-04
phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a…
- CVE-2019-10847HIGHCVSS 8.8EG 8.82019-05-24
Computrols CBAS 18.0.0 allows Cross-Site Request Forgery.
- CVE-2019-10874HIGHCVSS 8.8EG 8.82019-04-05
Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml…
- CVE-2019-10888HIGHCVSS 8.8EG 8.82019-04-05
A CSRF Issue that can add an admin user was discovered in UKcms v1.1.10 via admin.php/admin/role/add.html.
- CVE-2019-11077HIGHCVSS 8.8EG 8.82019-04-11
FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new admin user via the admin/auth/admin/add?dialog=1 URI.
- CVE-2019-11078HIGHCVSS 8.8EG 8.82019-04-11
MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the ucenter/userinfo.php URI.
- CVE-2019-11193MEDIUMCVSS 6.1EG 8.82019-04-30
The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.
- CVE-2019-11203MEDIUMCVSS 6.1EG 6.12019-04-24
The workspace client, openspace client, app development client, and REST API of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM…
- CVE-2019-11207HIGHCVSS 8.8EG 8.82019-08-13
The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allow persistent and reflected cross-site sc…
- CVE-2019-11374HIGHCVSS 8.8EG 8.82019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
- CVE-2019-11375MEDIUMCVSS 6.5EG 6.52019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.
- CVE-2019-11416HIGHCVSS 8.8EG 8.82019-04-22
A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, leading to complete control of the router, as demonstrated by v1/system/user.
- CVE-2019-11456HIGHCVSS 8.8EG 8.82019-04-22
Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code.
- CVE-2019-11457HIGHCVSS 8.8EG 8.82019-08-27
Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and …
- CVE-2019-11517MEDIUMCVSS 6.5EG 6.52019-06-10
WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner.
- CVE-2019-11557HIGHCVSS 8.8EG 8.82019-04-26
The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the…
- CVE-2019-11569HIGHCVSS 8.8EG 8.82019-05-06
Veeam ONE Reporter 9.5.0.3201 allows CSRF.
- CVE-2019-11586MEDIUMCVSS 4.3EG 4.32019-08-23
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) v…
- CVE-2019-11587MEDIUMCVSS 6.5EG 6.52019-08-23
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request…
- CVE-2019-11588MEDIUMCVSS 4.3EG 4.32019-08-23
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site …
- CVE-2019-11590HIGHCVSS 8.8EG 8.82019-04-29
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['actio…
- CVE-2019-11591HIGHCVSS 8.8EG 8.82019-04-29
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST[…
- CVE-2019-11617HIGHCVSS 8.8EG 8.82019-04-30
doorGets 7.0 has a CSRF vulnerability in /doorgets/app/requests/user/configurationRequest.php. A remote attacker can exploit this vulnerability for "Google Analytics code" modification.
- CVE-2019-11657HIGHCVSS 8.8EG 8.82019-12-17
Cross-Site Request Forgery vulnerability in all Micro Focus ArcSight Logger affecting all product versions below version 7.0. The vulnerability could be exploited to perform CSRF attack.
- CVE-2019-11712HIGHCVSS 8.8EG 8.82019-07-23
POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firef…
- CVE-2019-11886HIGHCVSS 8.8EG 8.82019-05-13
The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
- CVE-2019-12095HIGHCVSS 8.8EG 8.82019-10-24
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, b…
- CVE-2019-12239HIGHCVSS 7.2EG 7.22019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.
- CVE-2019-12246MEDIUMCVSS 4.3EG 4.32020-02-19
SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools.
- CVE-2019-12253MEDIUMCVSS 6.5EG 6.52019-05-21
my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting.
- CVE-2019-12273MEDIUMCVSS 6.5EG 6.52019-12-31
OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. NOTE: The product is self-hosted by the customer, even though it has a *.outsystemsenterprise.com domain name.) NOTE: The ve…
- CVE-2019-12361MEDIUMCVSS 6.1EG 6.12019-05-27
EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.php, as demonstrated by a CSRF payload that changes the dynamic page template. The attacker can choose to resend the e/template/member/regsend.php registered activation ma…
- CVE-2019-12363HIGHCVSS 8.8EG 8.82019-07-11
An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action…
- CVE-2019-12437HIGHCVSS 8.8EG 8.82020-02-19
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
- CVE-2019-12466HIGHCVSS 8.8EG 8.82019-07-10
Wikimedia MediaWiki through 1.32.1 allows CSRF.
- CVE-2019-12502HIGHCVSS 8.8EG 8.82019-05-31
There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 cameras, as demonstrated by adding an admin account via the /admin/access URI.
- CVE-2019-1259HIGHCVSS 8.8EG 8.82019-09-11
A spoofing vulnerability exists in Microsoft SharePoint when it improperly handles requests to authorize applications, resulting in cross-site request forgery (CSRF).To exploit this vulnerability, an attacker would need to create a page sp…
- CVE-2019-1261HIGHCVSS 8.8EG 8.82019-09-11
A spoofing vulnerability exists in Microsoft SharePoint when it improperly handles requests to authorize applications, resulting in cross-site request forgery (CSRF).To exploit this vulnerability, an attacker would need to create a page sp…
- CVE-2019-12616MEDIUMCVSS 6.5EG 6.52019-06-05
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at …
- CVE-2019-12624HIGHCVSS 8.8EG 8.82019-08-21
A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary act…
- CVE-2019-12636HIGHCVSS 8.8EG 8.82019-10-16
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulne…
- CVE-2019-12769HIGHCVSS 8.8EG 8.82020-03-18
SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.
- CVE-2019-12784HIGHCVSS 8.8EG 8.82020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login att…
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →