CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,838 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 40 of 177
- CVE-2019-18884HIGHCVSS 8.8EG 8.82019-11-13
index.php/team_members/add_team_member in RISE Ultimate Project Manager 2.3 has CSRF for adding authorized users.
- CVE-2019-19013HIGHCVSS 8.8EG 8.82019-11-22
A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request.
- CVE-2019-19025HIGHCVSS 8.8EG 8.82020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-1904HIGHCVSS 8.8EG 8.82019-06-21
A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSR…
- CVE-2019-19109HIGHCVSS 8.8EG 8.82020-06-15
The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=wpforo-usergroups CSRF.
- CVE-2019-1915MEDIUMCVSS 6.5EG 6.52019-10-02
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, …
- CVE-2019-19289HIGHCVSS 8.8EG 8.82020-12-14
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link.
- CVE-2019-19375MEDIUMCVSS 5.3EG 5.32019-11-28
In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
- CVE-2019-19469HIGHCVSS 8.8EG 8.82019-12-01
In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials.
- CVE-2019-19516MEDIUMCVSS 6.5EG 6.52019-12-02
Intelbras WRN 150 1.0.18 devices allow CSRF via GO=system_password.asp to the goform/SysToolChangePwd URI to change a password.
- CVE-2019-19517HIGHCVSS 8.8EG 8.82020-05-05
Intelbras RF1200 1.1.3 devices allow CSRF to bypass the login.html form, as demonstrated by launching a scrapy process.
- CVE-2019-1958HIGHCVSS 8.8EG 8.82019-08-08
A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insu…
- CVE-2019-19659HIGHCVSS 8.8EG 8.82020-02-10
A CSRF vulnerability exists in the Web File Manager's Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users' details, and escalate privil…
- CVE-2019-19660MEDIUMCVSS 6.5EG 6.52020-02-10
A CSRF vulnerability exists in the Web File Manager's Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html.
- CVE-2019-19662MEDIUMCVSS 6.5EG 6.52020-02-10
A CSRF vulnerability exists in the Web File Manager's Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html.
- CVE-2019-19663MEDIUMCVSS 6.5EG 6.52020-02-10
A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html.
- CVE-2019-19664HIGHCVSS 7.1EG 7.12020-02-10
A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html.
- CVE-2019-19665MEDIUMCVSS 6.5EG 6.52020-02-10
A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html.
- CVE-2019-19666MEDIUMCVSS 4.3EG 4.32020-02-10
A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html.
- CVE-2019-19667MEDIUMCVSS 5.4EG 5.42020-02-10
A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html.
- CVE-2019-19668MEDIUMCVSS 4.3EG 4.32020-02-10
A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html.
- CVE-2019-19669MEDIUMCVSS 6.5EG 6.52020-02-10
A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html.
- CVE-2019-19685HIGHCVSS 8.8EG 8.82019-12-09
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
- CVE-2019-19737HIGHCVSS 8.8EG 8.82019-12-30
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks.
- CVE-2019-19832HIGHCVSS 8.8EG 8.82019-12-18
Xerox AltaLink C8035 printers allow CSRF. A request to add users is made in the Device User Database form field to the xerox.set URI. (The frmUserName value must have a unique name.)
- CVE-2019-19833MEDIUMCVSS 6.5EG 6.52019-12-18
In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).
- CVE-2019-19854HIGHCVSS 8.8EG 8.82020-01-15
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conj…
- CVE-2019-19915CRITICALCVSS 9.0EG 9.02019-12-19
The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or greater access) to modify, delete, or inject redirect rules, and exploit XSS, with the /admin-ajax.php?action=eps_redirect_save a…
- CVE-2019-19979HIGHCVSS 8.8EG 8.82019-12-26
A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. There was CSRF with resultant XSS.
- CVE-2019-19981MEDIUMCVSS 5.4EG 5.42019-12-26
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings.
- CVE-2019-19987MEDIUMCVSS 6.5EG 6.52020-02-26
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows Cross-Site Request Forgery (CSRF) on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, a…
- CVE-2019-19995HIGHCVSS 8.8EG 8.82019-12-26
A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user.
- CVE-2019-20059HIGHCVSS 8.8EG 8.82020-02-10
payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the que…
- CVE-2019-20071MEDIUMCVSS 6.5EG 6.52019-12-30
On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.
- CVE-2019-20077MEDIUMCVSS 4.3EG 4.32020-01-05
The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability.
- CVE-2019-20098MEDIUMCVSS 4.3EG 4.32020-02-12
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into maki…
- CVE-2019-20099MEDIUMCVSS 4.3EG 4.32020-02-12
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into makin…
- CVE-2019-20100MEDIUMCVSS 4.7EG 4.72020-02-12
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2…
- CVE-2019-20178MEDIUMCVSS 6.5EG 6.52020-01-09
Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user.
- CVE-2019-20390HIGHCVSS 8.1EG 8.12020-05-15
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web pa…
- CVE-2019-20401MEDIUMCVSS 6.5EG 6.52020-02-06
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.
- CVE-2019-20405MEDIUMCVSS 4.3EG 4.32020-02-06
The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-20411MEDIUMCVSS 4.3EG 4.32020-06-29
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 b…
- CVE-2019-20415MEDIUMCVSS 4.3EG 4.32020-06-30
Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from ve…
- CVE-2019-20460HIGHCVSS 8.8EG 8.82024-11-07
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be u…
- CVE-2019-20480HIGHCVSS 8.8EG 8.82020-02-24
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection.
- CVE-2019-20487HIGHCVSS 8.8EG 8.82020-03-02
An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the set…
- CVE-2019-20691HIGHCVSS 8.8EG 8.82020-04-16
Certain NETGEAR devices are affected by CSRF. This affects D3600 before 1.0.0.72, D6000 before 1.0.0.72, EX3700 before 1.0.0.70, EX3800 before 1.0.0.70, EX6000 before 1.0.0.30, EX6100 before 1.0.2.24, EX6120 before 1.0.0.40, EX6130 before …
- CVE-2019-20804HIGHCVSS 8.8EG 8.82020-05-21
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
- CVE-2019-20841HIGHCVSS 8.8EG 8.82020-06-19
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →