CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,840 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 46 of 177
- CVE-2020-15600MEDIUMCVSS 6.5EG 6.52020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
- CVE-2020-15660HIGHCVSS 8.8EG 8.82021-07-20
Missing checks on Content-Type headers in geckodriver before 0.27.0 could lead to a CSRF vulnerability, that might, when paired with a specifically prepared request, lead to remote code execution.
- CVE-2020-15695MEDIUMCVSS 6.3EG 6.32020-07-15
An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
- CVE-2020-15700MEDIUMCVSS 6.3EG 6.32020-07-15
An issue was discovered in Joomla! through 3.9.19. A missing token check in the ajax_install endpoint of com_installer causes a CSRF vulnerability.
- CVE-2020-15711HIGHCVSS 8.8EG 8.82020-07-14
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
- CVE-2020-15776HIGHCVSS 8.8EG 8.82020-09-18
An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could imp…
- CVE-2020-15789HIGHCVSS 8.1EG 8.12020-09-09
A vulnerability has been identified in Polarion Subversion Webclient (All versions). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful ex…
- CVE-2020-15882HIGHCVSS 8.1EG 8.12020-07-23
A CSRF issue in manager/delete_machine/{id} in MunkiReport before 5.6.3 allows attackers to delete arbitrary machines from the MunkiReport database.
- CVE-2020-16208HIGHCVSS 8.8EG 8.82020-09-01
The affected product is vulnerable to cross-site request forgery, which may allow an attacker to modify different configurations of a device by luring an authenticated user to click on a crafted link on the N-Tron 702-W / 702M12-W (all ver…
- CVE-2020-16252MEDIUMCVSS 4.3EG 4.32020-08-05
The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF.
- CVE-2020-16253HIGHCVSS 8.1EG 8.12020-08-05
The PgHero gem through 2.6.0 for Ruby allows CSRF.
- CVE-2020-16256HIGHCVSS 8.8EG 8.82020-10-28
The API on Winston 1.5.4 devices is vulnerable to CSRF.
- CVE-2020-16610MEDIUMCVSS 4.3EG 4.32020-08-28
Hoosk Codeigniter CMS before 1.7.2 is affected by a Cross Site Request Forgery (CSRF). When an attacker induces authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention.
- CVE-2020-1692HIGHCVSS 8.1EG 8.12020-02-17
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
- CVE-2020-17901MEDIUMCVSS 6.5EG 6.52020-11-30
Cross-site request forgery (CSRF) in PbootCMS 1.3.2 allows attackers to change the password of a user.
- CVE-2020-18123MEDIUMCVSS 6.5EG 6.52021-08-30
A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts.
- CVE-2020-18124MEDIUMCVSS 5.7EG 5.72021-08-30
A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords.
- CVE-2020-18129HIGHCVSS 8.8EG 8.82020-10-22
A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php.
- CVE-2020-18131HIGHCVSS 8.8EG 8.82023-05-08
Cross Site Request Forgery (CSRF) vulnerability in Bluethrust Clan Scripts v4 allows attackers to escilate privledges to an arbitrary account via a crafted request to /members/console.php?cID=5.
- CVE-2020-18151MEDIUMCVSS 6.5EG 6.52021-07-14
Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.
- CVE-2020-18157HIGHCVSS 8.8EG 8.82021-07-30
Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php.
- CVE-2020-18195HIGHCVSS 8.8EG 8.82021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
- CVE-2020-18198HIGHCVSS 8.8EG 8.82021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
- CVE-2020-18264HIGHCVSS 8.8EG 8.82021-06-07
Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote attackers to gain privilege and execute arbitrary code via the component "Simple-Log/admin/admin.php?act=act_edit_member".
- CVE-2020-18265HIGHCVSS 8.8EG 8.82021-06-07
Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote attackers to gain privilege and execute arbitrary code via the component "Simple-Log/admin/admin.php?act=act_add_member".
- CVE-2020-18326HIGHCVSS 8.8EG 8.82022-03-04
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully …
- CVE-2020-18409MEDIUMCVSS 6.8EG 6.82023-06-27
Cross Site Request Forgery (CSRF) vulnerability was discovered in CatfishCMS 4.8.63 that would allow attackers to obtain administrator permissions via /index.php/admin/index/modifymanage.html.
- CVE-2020-18416MEDIUMCVSS 6.8EG 6.82023-06-27
An cross site request forgery (CSRF) vulnerability discovered in Jymusic v2.0.0.,that allows attackers to execute arbitrary code via /admin.php?s=/addons/config.html&id=6 to modify payment information.
- CVE-2020-18418HIGHCVSS 8.8EG 8.82023-06-27
A Cross site request forgery (CSRF) vulnerability was discovered in FeiFeiCMS v4.1.190209, which allows attackers to create administrator accounts via /index.php?s=Admin-Admin-Insert.
- CVE-2020-18454MEDIUMCVSS 6.8EG 6.82021-08-12
Cross Site Request Forgery (CSRF) vulnerability in bycms v1.3 via admin.php/systems/index/module_id/70/group_id/1.html.
- CVE-2020-18457MEDIUMCVSS 6.8EG 6.82021-08-12
Cross Site Request Forgery (CSRF) vulnerability exists in bycms v1.3.0 that can add an admin account via admin.php/ucenter/add.html.
- CVE-2020-18458HIGHCVSS 8.0EG 8.02021-08-12
Cross Site Request Forgery (CSRF) vulnerability exists in DamiCMS v6.0.6 that can add an admin account via admin.php?s=/Admin/doadd.
- CVE-2020-18460HIGHCVSS 8.8EG 8.82021-08-12
Cross Site Request Forgery (CSRF) vulnerability exists in 711cms v1.0.7 that can add an admin account via admin.php?c=Admin&m=content.
- CVE-2020-18463LOWCVSS 2.4EG 2.42021-08-12
Cross Site Request Forgery (CSRF) vulnerability exists in v2.0.0 in video_list.php, which can let a malicious user delete a video message.
- CVE-2020-18464LOWCVSS 3.5EG 3.52021-08-12
Cross Site Request Forgery (CSRF) vulnerability in AikCms 2.0.0 in video_list.php, which can let a malicious user delete movie information.
- CVE-2020-18648HIGHCVSS 8.8EG 8.82021-06-22
Cross Site Request Forgery (CSRF) in JuQingCMS v1.0 allows remote attackers to gain local privileges via the component "JuQingCMS_v1.0/admin/index.php?c=administrator&a=add".
- CVE-2020-18694HIGHCVSS 8.8EG 8.82021-08-06
Cross Site Request Forgery (CSRF) in IgnitedCMS v1.0 allows remote attackers to obtain sensitive information and gain privilege via the component "/admin/profile/save_profile".
- CVE-2020-18889MEDIUMCVSS 6.5EG 6.52021-05-06
Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.
- CVE-2020-18917HIGHCVSS 8.8EG 8.82021-08-24
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
- CVE-2020-18964HIGHCVSS 8.8EG 8.82021-05-11
Cross Site Request Forgery (CSRF) Vulnerability in ForestBlog latest version via the website Management background, which could let a remote malicious gain privileges.
- CVE-2020-19047HIGHCVSS 8.8EG 8.82021-08-31
Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'.
- CVE-2020-19159HIGHCVSS 8.8EG 8.82021-09-15
Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'.
- CVE-2020-19199HIGHCVSS 8.8EG 8.82021-05-10
A Cross Site Request Forgery (CSRF) vulnerability exists in PHPOK 5.2.060 via admin.php?c=admin&f=save, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19263HIGHCVSS 8.8EG 8.82021-09-09
A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily escalate user privileges to administrator via index.php?s=/user/ApiAdminUser/itemEdit.
- CVE-2020-19264MEDIUMCVSS 6.5EG 6.52021-09-09
A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd.
- CVE-2020-19268MEDIUMCVSS 5.7EG 5.72021-09-09
A cross-site request forgery (CSRF) in index.php/Dswjcms/User/tfAdd of Dswjcms 1.6.4 allows authenticated attackers to arbitrarily add administrator users.
- CVE-2020-19278HIGHCVSS 8.8EG 8.82023-04-04
Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.
- CVE-2020-19280HIGHCVSS 8.8EG 8.82021-09-09
Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.
- CVE-2020-19639HIGHCVSS 8.8EG 8.82021-03-30
Cross Site Request Forgery (CSRF) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B, via all fields to WebUI.
- CVE-2020-19669HIGHCVSS 8.8EG 8.82021-08-18
Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →