CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,838 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 43 of 177
- CVE-2019-7953MEDIUMCVSS 6.5EG 6.52019-07-18
Adobe Experience Manager version 6.4 and ealier have a Cross-Site Request Forgery vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user.
- CVE-2019-8109HIGHCVSS 8.0EG 8.02019-11-05
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.
- CVE-2019-8155HIGHCVSS 7.5EG 7.52019-11-06
Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions.
- CVE-2019-8234MEDIUMCVSS 6.5EG 6.52019-10-25
Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a cross-site request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.
- CVE-2019-8347HIGHCVSS 8.8EG 8.82019-02-15
BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI.
- CVE-2019-8437HIGHCVSS 8.8EG 8.82019-03-07
njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to add an administrator.
- CVE-2019-8447MEDIUMCVSS 4.3EG 4.32019-08-23
The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-8902MEDIUMCVSS 5.7EG 5.72019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
- CVE-2019-8910HIGHCVSS 8.8EG 8.82019-02-18
An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=site_post CSRF.
- CVE-2019-8991HIGHCVSS 8.8EG 8.82019-04-24
The administrator web interface of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Gr…
- CVE-2019-9040HIGHCVSS 8.8EG 8.82019-02-23
S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332.
- CVE-2019-9048MEDIUMCVSS 6.5EG 6.52019-02-23
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete a theme (aka topic) via a /admin.php?action=theme_delete&var1= URI.
- CVE-2019-9049MEDIUMCVSS 6.5EG 6.52019-02-23
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=module_delete&var1= URI.
- CVE-2019-9051MEDIUMCVSS 6.5EG 6.52019-02-23
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete articles via a /admin.php?action=deletepage&var1= URI.
- CVE-2019-9052MEDIUMCVSS 6.5EG 6.52019-02-23
An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete pictures via a /admin.php?action=deleteimage&var1= URI.
- CVE-2019-9062HIGHCVSS 8.0EG 8.02019-02-23
PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.
- CVE-2019-9102HIGHCVSS 8.8EG 8.82020-03-11
An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. A predictable mechanism of generating tokens allows remote attacker…
- CVE-2019-9176MEDIUMCVSS 6.5EG 6.52019-04-17
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF.
- CVE-2019-9182HIGHCVSS 8.8EG 8.82019-02-26
There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter.
- CVE-2019-9231HIGHCVSS 8.8EG 8.82019-07-18
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions before 7.20A.202.307. A Cross-Site Request Forgery (CSRF) vulnerability in the management web interface allows remot…
- CVE-2019-9549HIGHCVSS 8.8EG 8.82019-03-03
An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=user&act=addnew URI, as demonstrated by adding a level=1 account, a similar issue to CVE-2018-18935.
- CVE-2019-9596MEDIUMCVSS 6.5EG 6.52019-10-23
Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint.
- CVE-2019-9597MEDIUMCVSS 6.5EG 6.52019-10-23
Darktrace Enterprise Immune System before 3.1 allows CSRF via the /config endpoint.
- CVE-2019-9598MEDIUMCVSS 6.5EG 6.52019-03-07
An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds.
- CVE-2019-9603MEDIUMCVSS 6.5EG 6.52019-03-06
MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891.
- CVE-2019-9604HIGHCVSS 8.8EG 8.82019-03-29
PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-Site Request Forgery (CSRF) for Edit Profile actions.
- CVE-2019-9625HIGHCVSS 8.8EG 8.82019-03-07
JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account.
- CVE-2019-9652HIGHCVSS 8.8EG 8.82019-03-11
There is a CSRF in SDCMS V1.7 via an m=admin&c=theme&a=edit request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the t2 parameter.
- CVE-2019-9688HIGHCVSS 8.8EG 8.82019-03-11
sftnow through 2018-12-29 allows index.php?g=Admin&m=User&a=add_post CSRF to add an admin account.
- CVE-2019-9769HIGHCVSS 8.8EG 8.82019-03-14
PilusCart 1.4.1 is vulnerable to index.php?module=users&action=newUser CSRF, leading to the addition of a new user as administrator.
- CVE-2019-9787HIGHCVSS 8.8EG 8.82019-03-14
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimizatio…
- CVE-2019-9882HIGHCVSS 8.8EG 8.82019-06-03
Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&new=hacker@socialengi…
- CVE-2019-9883HIGHCVSS 8.8EG 8.82019-06-03
Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to elevate privilege of specific account via useradmin/cf_new.cgi?chief=&wk_group=full&cf_name=test&cf_account=test&cf_email=&cf_acl=Management&…
- CVE-2019-9926HIGHCVSS 8.8EG 8.82019-10-29
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability.
- CVE-2019-9958HIGHCVSS 8.8EG 8.82019-06-24
CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin…
- CVE-2020-10057HIGHCVSS 8.8EG 8.82020-03-04
GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broken access control. This issue exists because of an incomplete fix for CVE-2015-2680, in which "token" is used as a CSRF protection mechanism, but without validation that …
- CVE-2020-10095HIGHCVSS 8.1EG 8.12025-02-19
Various Lexmark devices have CSRF that allows an attacker to modify the configuration of the device.
- CVE-2020-10181CRITICALCVSS 9.8EG 9.8⚠ KEV2020-03-11
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.
- CVE-2020-10229HIGHCVSS 8.8EG 8.82020-09-14
A CSRF issue in vtecrm vtenext 19 CE allows attackers to carry out unwanted actions on an administrator's behalf, such as uploading files, adding users, and deleting accounts.
- CVE-2020-10241HIGHCVSS 8.8EG 8.82020-03-16
An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF.
- CVE-2020-10478HIGHCVSS 8.8EG 8.82020-03-12
CSRF in admin/manage-settings.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to change the global settings, potentially gaining code execution or causing a denial of service, via a crafted request.
- CVE-2020-10479MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/add-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new news article via a crafted request.
- CVE-2020-10480MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/add-category.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new category via a crafted request.
- CVE-2020-10481MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/add-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new glossary term via a crafted request.
- CVE-2020-10482MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/add-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new article template via a crafted request.
- CVE-2020-10483MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/ajax-hub.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to post a comment on any article via a crafted request.
- CVE-2020-10484MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/add-field.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to create a custom field via a crafted request.
- CVE-2020-10485MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/manage-articles.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete an article via a crafted request.
- CVE-2020-10486MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/manage-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete a comment via a crafted request.
- CVE-2020-10487MEDIUMCVSS 4.3EG 4.32020-03-12
CSRF in admin/manage-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete a glossary term via a crafted request.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →