CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,840 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 59 of 177
- CVE-2021-29660HIGHCVSS 8.8EG 8.82021-04-02
A Cross-Site Request Forgery (CSRF) vulnerability in en/cfg_setpwd.html in Softing AG OPC Toolbox through 4.10.1.13035 allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by a…
- CVE-2021-29756HIGHCVSS 8.8EG 8.82021-12-03
IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM…
- CVE-2021-29757HIGHCVSS 8.8EG 8.82021-08-02
IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202168.
- CVE-2021-29816MEDIUMCVSS 6.5EG 6.52021-09-23
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website tr…
- CVE-2021-29823MEDIUMCVSS 6.5EG 6.52022-09-01
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204465.
- CVE-2021-29837HIGHCVSS 8.8EG 8.82021-10-06
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. I…
- CVE-2021-29888HIGHCVSS 8.8EG 8.82021-11-02
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 207123.
- CVE-2021-29995HIGHCVSS 8.8EG 8.82021-06-09
A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1,…
- CVE-2021-30112MEDIUMCVSS 6.5EG 6.52021-04-08
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to valida…
- CVE-2021-30114MEDIUMCVSS 6.5EG 6.52021-04-08
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token fo…
- CVE-2021-30147HIGHCVSS 8.8EG 8.82021-04-07
DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php.
- CVE-2021-30224HIGHCVSS 8.8EG 8.82021-04-29
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.
- CVE-2021-31152HIGHCVSS 8.8EG 8.82021-04-14
Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. An attacker can enable remote access, change passwords, and perform other actions through misconfigured requests, entries, and headers.
- CVE-2021-3133MEDIUMCVSS 6.5EG 6.52021-01-12
The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.
- CVE-2021-31584HIGHCVSS 8.8EG 8.82021-04-23
Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges.
- CVE-2021-31589MEDIUMCVSS 6.1EG 6.12022-01-05
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without pr…
- CVE-2021-31604MEDIUMCVSS 6.5EG 5.32021-09-27
furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.
- CVE-2021-31631HIGHCVSS 8.8EG 8.82021-12-06
b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.
- CVE-2021-31659HIGHCVSS 8.8EG 8.82021-06-10
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication information. A malicious …
- CVE-2021-31677MEDIUMCVSS 6.5EG 6.52022-07-06
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can modify admin and other members' passwords.
- CVE-2021-31678MEDIUMCVSS 6.5EG 6.52022-07-06
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's company.
- CVE-2021-31679MEDIUMCVSS 6.5EG 6.52022-07-06
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that allows attackers to delete admin and other members' account numbers.
- CVE-2021-31760HIGHCVSS 8.8EG 8.82021-04-25
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
- CVE-2021-31762HIGHCVSS 8.8EG 8.82021-04-25
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
- CVE-2021-32073HIGHCVSS 8.8EG 8.82021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
- CVE-2021-32096HIGHCVSS 8.8EG 8.82021-05-07
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
- CVE-2021-32122CRITICALCVSS 9.8EG 9.82021-08-11
Certain NETGEAR devices are affected by CSRF. This affects EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, and EX6130 before 1.0.0.44.
- CVE-2021-32156HIGHCVSS 8.8EG 8.82022-04-11
A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
- CVE-2021-32159HIGHCVSS 8.8EG 8.82022-04-11
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
- CVE-2021-32162HIGHCVSS 8.8EG 8.82022-04-11
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.
- CVE-2021-32402HIGHCVSS 8.8EG 8.82021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.
- CVE-2021-32403HIGHCVSS 8.8EG 8.82021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules.
- CVE-2021-32424HIGHCVSS 8.8EG 8.82021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious we…
- CVE-2021-32632LOWCVSS 2.4EG 2.42021-05-20
Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add one modern dependenc…
- CVE-2021-32677HIGHCVSS 8.2EG 8.22021-06-09
FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were…
- CVE-2021-32730MEDIUMCVSS 5.7EG 5.72021-07-01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for f…
- CVE-2021-32732HIGHCVSS 7.5EG 7.52022-02-04
### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does n…
- CVE-2021-32774MEDIUMCVSS 6.1EG 6.12021-07-20
DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerab…
- CVE-2021-32776MEDIUMCVSS 6.8EG 6.82021-07-21
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.
- CVE-2021-32929MEDIUMCVSS 4.3EG 8.82022-04-22
All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user.
- CVE-2021-32991MEDIUMCVSS 4.3EG 4.32021-08-30
Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally.
- CVE-2021-33338HIGHCVSS 7.5EG 7.52021-08-04
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site…
- CVE-2021-33396MEDIUMCVSS 6.5EG 6.52023-02-15
Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php.
- CVE-2021-34086HIGHCVSS 8.8EG 8.82022-01-10
In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.
- CVE-2021-34167HIGHCVSS 8.8EG 8.82023-02-24
Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php.
- CVE-2021-34244HIGHCVSS 8.8EG 8.82021-06-22
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
- CVE-2021-34358MEDIUMCVSS 6.8EG 8.82021-11-20
We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later
- CVE-2021-34360MEDIUMCVSS 5.3EG 8.82022-05-26
A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in …
- CVE-2021-34547MEDIUMCVSS 4.3EG 4.32021-06-10
PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation.
- CVE-2021-34619HIGHCVSS 8.8EG 8.82021-07-21
The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/…
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →