CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,840 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 47 of 177
- CVE-2020-19682HIGHCVSS 8.8EG 8.82021-12-09
A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php.
- CVE-2020-1977HIGHCVSS 7.5EG 7.52020-02-12
Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool. This iss…
- CVE-2020-19803HIGHCVSS 8.8EG 8.82023-04-11
Cross Site Request Forgery vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the background system settings.
- CVE-2020-19886HIGHCVSS 8.1EG 8.12020-08-24
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu.
- CVE-2020-19889HIGHCVSS 8.8EG 8.82020-08-24
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for index.php?dbhcms_pid=-70 can add a user.
- CVE-2020-19951HIGHCVSS 8.8EG 8.82021-09-23
A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.
- CVE-2020-19964MEDIUMCVSS 6.5EG 6.52021-10-14
A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.
- CVE-2020-20343MEDIUMCVSS 6.5EG 6.52021-09-01
WTCMS 1.0 contains a cross-site request forgery (CSRF) vulnerability in the index.php?g=admin&m=nav&a=add_post component that allows attackers to arbitrarily add articles in the administrator background.
- CVE-2020-20468MEDIUMCVSS 6.5EG 6.52021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
- CVE-2020-20502MEDIUMCVSS 6.5EG 6.52023-06-20
Cross Site Request Forgery found in yzCMS v.2.0 allows a remote attacker to execute arbitrary code via the token check function.
- CVE-2020-20514HIGHCVSS 8.1EG 8.12021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
- CVE-2020-20586MEDIUMCVSS 4.5EG 4.52021-07-08
A cross site request forgery (CSRF) vulnerability in the /xyhai.php?s=/Auth/editUser URI of XYHCMS V3.6 allows attackers to edit any information of the administrator such as the name, e-mail, and password.
- CVE-2020-20593HIGHCVSS 8.0EG 8.02021-12-22
A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account.
- CVE-2020-20595MEDIUMCVSS 6.5EG 6.52021-12-22
A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add.
- CVE-2020-20642HIGHCVSS 8.8EG 8.82021-08-19
Cross Site Request Forgery (CSRF) vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn.
- CVE-2020-20671HIGHCVSS 8.8EG 8.82021-09-13
A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account.
- CVE-2020-20693HIGHCVSS 8.8EG 8.82021-09-27
A Cross-Site Request Forgery (CSRF) in GilaCMS v1.11.4 allows authenticated attackers to arbitrarily add administrator accounts.
- CVE-2020-20726HIGHCVSS 8.8EG 8.82023-06-20
Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter.
- CVE-2020-2090HIGHCVSS 8.8EG 8.82020-01-15
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another metho…
- CVE-2020-2093HIGHCVSS 8.8EG 8.82020-01-15
A cross-site request forgery vulnerability in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers to send an email with fixed content to an attacker-specified recipient.
- CVE-2020-20943MEDIUMCVSS 4.3EG 4.32021-12-27
A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL.
- CVE-2020-20945HIGHCVSS 8.8EG 8.82021-12-27
A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.
- CVE-2020-20971HIGHCVSS 8.8EG 8.82022-06-02
Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.
- CVE-2020-2098HIGHCVSS 8.8EG 8.82020-01-15
A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0.5 and earlier allows attacker to execute arbitrary OS commands as the OS user account running Jenkins.
- CVE-2020-20989MEDIUMCVSS 4.3EG 4.32021-08-12
A cross-site request forgery (CSRF) in /admin/maintenance/ of Domainmod 4.13 allows attackers to arbitrarily delete logs.
- CVE-2020-21081MEDIUMCVSS 6.5EG 6.52021-09-14
A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL.
- CVE-2020-21126HIGHCVSS 8.8EG 8.82021-09-15
MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
- CVE-2020-21139MEDIUMCVSS 6.5EG 6.52021-11-04
EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add admin accounts via /admin.html?do=user&act=add.
- CVE-2020-21141HIGHCVSS 8.8EG 8.82021-11-12
iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.
- CVE-2020-2116HIGHCVSS 8.8EG 8.82020-02-12
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, c…
- CVE-2020-21236HIGHCVSS 8.8EG 8.82021-12-27
A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.
- CVE-2020-21252HIGHCVSS 8.8EG 8.82023-06-20
Cross Site Request Forgery vulnerability in Neeke HongCMS 3.0.0 allows a remote attacker to execute arbitrary code and escalate privileges via the updateusers parameter.
- CVE-2020-21321MEDIUMCVSS 4.3EG 4.32021-09-15
emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles.
- CVE-2020-21358MEDIUMCVSS 6.5EG 6.52021-08-06
A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users.
- CVE-2020-21366HIGHCVSS 8.0EG 8.02023-06-20
Cross Site Request Forgery vulnerability in GreenCMS v.2.3 allows an attacker to gain privileges via the adduser function of index.php.
- CVE-2020-21386HIGHCVSS 8.8EG 8.82021-10-04
A Cross-Site Request Forgery (CSRF) in the component admin.php/admin/type/info.html of Maccms 10 allows attackers to gain administrator privileges.
- CVE-2020-2141MEDIUMCVSS 4.3EG 4.32020-03-09
A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.10 and earlier allows attackers to trigger builds or add a labels in Perforce.
- CVE-2020-2147MEDIUMCVSS 4.3EG 4.32020-03-09
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
- CVE-2020-2160HIGHCVSS 8.8EG 8.82020-03-25
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
- CVE-2020-21658MEDIUMCVSS 6.5EG 6.52021-10-06
A Cross-Site Request Forgery (CSRF) in WDJA CMS v1.5.2 allows attackers to arbitrarily add administrator accounts via a crafted URL.
- CVE-2020-2184MEDIUMCVSS 4.3EG 4.32020-05-06
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
- CVE-2020-2186MEDIUMCVSS 4.3EG 4.32020-05-06
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
- CVE-2020-21881MEDIUMCVSS 6.5EG 6.52023-07-31
Cross Site Request Forgery (CSRF) vulnerability in admin.php in DuxCMS 2.1 allows remote attackers to modtify application data via article/admin/content/add.
- CVE-2020-21884HIGHCVSS 8.8EG 8.82021-04-09
Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a …
- CVE-2020-2192MEDIUMCVSS 6.5EG 6.52020-06-03
A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels.
- CVE-2020-2196HIGHCVSS 8.0EG 7.12020-06-03
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
- CVE-2020-21989HIGHCVSS 8.8EG 8.82021-04-27
HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited…
- CVE-2020-22000HIGHCVSS 8.0EG 8.02021-04-27
HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_comman…
- CVE-2020-2203MEDIUMCVSS 4.3EG 4.32020-07-02
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
- CVE-2020-2215MEDIUMCVSS 4.3EG 4.32020-07-02
A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified username and password.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →