CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,836 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 37 of 177
- CVE-2019-12826HIGHCVSS 8.8EG 8.82019-07-01
A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to…
- CVE-2019-12836HIGHCVSS 8.8EG 8.82019-06-21
The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked i…
- CVE-2019-12851HIGHCVSS 8.8EG 8.82019-07-03
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
- CVE-2019-12922MEDIUMCVSS 6.5EG 6.52019-09-13
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.
- CVE-2019-12923MEDIUMCVSS 6.5EG 6.52019-07-08
In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This co…
- CVE-2019-12934HIGHCVSS 8.8EG 8.82019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
- CVE-2019-13056HIGHCVSS 8.8EG 8.82019-07-02
An issue was discovered in CyberPanel through 1.8.4. On the user edit page, an attacker can edit the administrator's e-mail and password because of the lack of CSRF protection.
- CVE-2019-13071HIGHCVSS 8.8EG 8.82019-07-10
CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an att…
- CVE-2019-13170MEDIUMCVSS 6.5EG 6.52020-03-13
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
- CVE-2019-13183HIGHCVSS 8.8EG 8.82019-07-07
Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
- CVE-2019-13199MEDIUMCVSS 6.5EG 6.52020-03-13
Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) did not implement any mechanism to avoid CSRF. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
- CVE-2019-13363CRITICALCVSS 9.6EG 9.62019-09-13
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent	…
- CVE-2019-13364CRITICALCVSS 9.6EG 9.62019-09-13
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
- CVE-2019-13370HIGHCVSS 8.8EG 8.82019-07-06
index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator.
- CVE-2019-13376MEDIUMCVSS 6.5EG 6.52019-09-27
phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS
- CVE-2019-13395HIGHCVSS 8.8EG 8.82020-03-13
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF against all /goform/ URIs. An attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious con…
- CVE-2019-13401HIGHCVSS 8.8EG 8.82019-07-08
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/.
- CVE-2019-13477HIGHCVSS 8.8EG 8.82019-08-21
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
- CVE-2019-13497MEDIUMCVSS 6.5EG 6.52019-11-04
One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.
- CVE-2019-13516HIGHCVSS 8.8EG 8.82019-08-15
In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.
- CVE-2019-13529HIGHCVSS 8.8EG 8.82019-10-09
An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to…
- CVE-2019-13563HIGHCVSS 8.8EG 8.82019-07-11
D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.
- CVE-2019-13594HIGHCVSS 8.8EG 8.82019-07-14
In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.
- CVE-2019-13611HIGHCVSS 8.8EG 8.82019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin h…
- CVE-2019-13920MEDIUMCVSS 4.3EG 4.32019-09-13
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be explo…
- CVE-2019-13930HIGHCVSS 8.1EG 8.12019-12-12
A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requ…
- CVE-2019-13949HIGHCVSS 8.8EG 8.82019-07-18
SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demonstrated by CSRF for an index.php?c=Administrator&a=update admin password change.
- CVE-2019-13961HIGHCVSS 8.8EG 8.82019-07-18
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
- CVE-2019-13974HIGHCVSS 8.8EG 8.82019-07-19
LayerBB 1.1.3 allows conversations.php/cmd/new CSRF.
- CVE-2019-14216HIGHCVSS 8.8EG 8.82019-08-14
An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads to upload of a ZIP archive containing a…
- CVE-2019-14228MEDIUMCVSS 6.1EG 6.12019-07-26
Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username w…
- CVE-2019-14240HIGHCVSS 8.1EG 8.12019-07-23
WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI.
- CVE-2019-14304HIGHCVSS 8.8EG 8.82020-01-10
Ricoh SP C250DN 1.06 devices allow CSRF.
- CVE-2019-14327MEDIUMCVSS 6.5EG 6.52019-07-30
A CSRF vulnerability in Settings form in the Custom Simple Rss plugin 2.0.6 for WordPress allows attackers to change the plugin settings.
- CVE-2019-14328HIGHCVSS 8.8EG 8.82019-07-28
The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section.
- CVE-2019-14346HIGHCVSS 8.8EG 8.82019-08-06
Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CSRF to change a user password.
- CVE-2019-14481MEDIUMCVSS 5.4EG 5.42020-12-16
AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover.
- CVE-2019-14526HIGHCVSS 8.1EG 8.12019-08-14
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore can be embedded in third party pages, …
- CVE-2019-14551CRITICALCVSS 9.8EG 9.82019-08-03
Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers download and execution of code within a ZIP ar…
- CVE-2019-14679MEDIUMCVSS 6.5EG 6.52019-08-08
core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF.
- CVE-2019-14680MEDIUMCVSS 5.7EG 5.72019-08-08
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
- CVE-2019-14681HIGHCVSS 8.8EG 8.82019-08-08
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF.
- CVE-2019-14682MEDIUMCVSS 4.3EG 4.32019-08-08
The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF.
- CVE-2019-14683MEDIUMCVSS 5.7EG 5.72019-08-08
The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.
- CVE-2019-14703HIGHCVSS 8.8EG 8.82019-08-06
A CSRF issue was discovered in webparam?user&action=set¶m=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account.
- CVE-2019-14836HIGHCVSS 8.8EG 8.82021-05-26
A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks.
- CVE-2019-14933HIGHCVSS 8.8EG 8.82019-08-11
Bagisto 0.1.5 allows CSRF under /admin URIs.
- CVE-2019-14998MEDIUMCVSS 6.5EG 6.52019-09-11
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
- CVE-2019-14999MEDIUMCVSS 4.3EG 4.32019-08-23
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site R…
- CVE-2019-15002MEDIUMCVSS 4.3EG 4.32025-02-11
An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →