CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,840 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 49 of 177
- CVE-2020-24982MEDIUMCVSS 4.3EG 4.32021-03-15
An issue was discovered in Quadbase ExpressDashboard (EDAB) 7 Update 9. It allows CSRF. An attacker may be able to trick an authenticated user into changing the email address associated with their account.
- CVE-2020-24983HIGHCVSS 8.8EG 8.82021-03-11
An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will uti…
- CVE-2020-24984HIGHCVSS 8.8EG 8.82021-03-11
An issue was discovered in Quadbase EspressReports ES 7 Update 9. It allows CSRF, whereby an attacker may be able to trick an authenticated admin level user into uploading malicious files to the web server.
- CVE-2020-25015MEDIUMCVSS 6.5EG 6.52020-09-16
A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remo…
- CVE-2020-25070HIGHCVSS 8.8EG 8.82020-09-01
USVN (aka User-friendly SVN) before 1.0.10 allows CSRF, related to the lack of the SameSite Strict feature.
- CVE-2020-25095HIGHCVSS 8.8EG 8.82020-12-17
LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to…
- CVE-2020-25142MEDIUMCVSS 6.5EG 6.52020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests, such as for addin…
- CVE-2020-25252HIGHCVSS 8.8EG 8.82020-09-11
An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there …
- CVE-2020-25262MEDIUMCVSS 4.3EG 4.32020-10-08
PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted.
- CVE-2020-25263HIGHCVSS 7.1EG 7.12020-10-08
PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.
- CVE-2020-25408MEDIUMCVSS 6.5EG 6.52021-05-24
A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, a…
- CVE-2020-25411MEDIUMCVSS 6.5EG 6.52021-05-24
Projectworlds Online Examination System 1.0 is vulnerable to CSRF, which allows a remote attacker to delete the existing user.
- CVE-2020-25453HIGHCVSS 8.8EG 8.82020-09-15
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
- CVE-2020-25472MEDIUMCVSS 6.5EG 6.52020-11-24
SimplePHPscripts News Script PHP Pro 2.3 is affected by a Cross Site Request Forgery (CSRF) vulnerability, which allows attackers to add new users.
- CVE-2020-25562MEDIUMCVSS 6.5EG 6.52021-08-11
In SapphireIMS 5.0, there is no CSRF token present in the entire application. This can lead to CSRF vulnerabilities in critical application forms like account resent.
- CVE-2020-25622HIGHCVSS 8.8EG 8.82020-12-16
An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF.
- CVE-2020-25950MEDIUMCVSS 4.3EG 4.32021-01-08
Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page.
- CVE-2020-25986MEDIUMCVSS 6.5EG 6.52020-10-06
A Cross Site Request Forgery (CSRF) vulnerability in MonoCMS Blog 1.0 allows attackers to change the password of a user.
- CVE-2020-26033MEDIUMCVSS 5.4EG 5.42020-12-28
An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
- CVE-2020-26516HIGHCVSS 8.8EG 8.82021-06-08
A CSRF issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Requests sent to the server that trigger actions do not contain a CSRF token and can therefore be entirely predicted allowing attackers to cause the victim's brow…
- CVE-2020-26522HIGHCVSS 8.8EG 8.82020-10-09
A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.
- CVE-2020-26641HIGHCVSS 8.8EG 8.82021-05-28
A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.
- CVE-2020-26766HIGHCVSS 8.8EG 8.82020-12-26
A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1.
- CVE-2020-26802HIGHCVSS 8.8EG 8.82020-10-08
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
- CVE-2020-26912HIGHCVSS 7.5EG 7.52020-10-09
Certain NETGEAR devices are affected by CSRF. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.…
- CVE-2020-26936HIGHCVSS 8.8EG 8.82020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
- CVE-2020-27016HIGHCVSS 8.8EG 8.82020-11-09
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into …
- CVE-2020-27146MEDIUMCVSS 5.0EG 5.02020-11-10
The Core component of TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser) contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a Cross Site Request Forgery (CSRF) attack on the …
- CVE-2020-27379MEDIUMCVSS 6.5EG 6.52021-07-14
Cross Site Request Forgery (CSRF) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 . The CSRF token is not being validated when the request is sent as a GET method. This results in an unauthorized change in the us…
- CVE-2020-27574HIGHCVSS 8.8EG 8.82021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). If an authenticated user visits a malicious page, unintended actions could be performed in the web application as the authenticated user.
- CVE-2020-27692HIGHCVSS 8.8EG 8.82020-11-04
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (res…
- CVE-2020-27975HIGHCVSS 8.8EG 8.82020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
- CVE-2020-27997HIGHCVSS 8.8EG 8.82021-02-19
An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account).
- CVE-2020-28040MEDIUMCVSS 4.3EG 4.32020-11-02
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
- CVE-2020-28137MEDIUMCVSS 6.5EG 6.52021-11-10
Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router.
- CVE-2020-28191HIGHCVSS 8.8EG 8.82022-12-26
The console in Togglz before 2.9.4 allows CSRF.
- CVE-2020-28398HIGHCVSS 8.8EG 8.82024-12-10
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2020-28403HIGHCVSS 8.0EG 8.82021-01-29
A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative rol…
- CVE-2020-28452MEDIUMCVSS 6.3EG 6.32021-01-20
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before…
- CVE-2020-28644MEDIUMCVSS 4.3EG 4.32021-02-09
The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.
- CVE-2020-28649HIGHCVSS 8.8EG 8.82020-11-16
The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.
- CVE-2020-28705MEDIUMCVSS 4.3EG 4.32021-03-10
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
- CVE-2020-28838LOWCVSS 3.5EG 3.52020-12-11
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
- CVE-2020-28846MEDIUMCVSS 6.5EG 6.52021-08-17
Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account.
- CVE-2020-28858HIGHCVSS 8.8EG 8.82020-12-14
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions.
- CVE-2020-28931HIGHCVSS 8.8EG 8.82020-12-16
Lack of an anti-CSRF token in the entire administrative interface in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to force an administrator to execute external POST requests by visiting a malicious website.
- CVE-2020-29004HIGHCVSS 8.8EG 8.82021-01-29
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
- CVE-2020-29030HIGHCVSS 8.1EG 8.12021-03-05
Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code. This issue affects: Secomea GateManager All versions prior to 9.4.
- CVE-2020-29254HIGHCVSS 8.8EG 8.82020-12-11
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulner…
- CVE-2020-29292MEDIUMCVSS 6.5EG 6.52021-12-30
iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →