Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-51489 1Ampache 1Ampache Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users send messages to one another. This vulnerability...Show more Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users send messages to one another. This vulnerability could be exploited to forge CSRF attacks, allowing an attacker to send messages to any user, including administrators, if they interact with a malicious request. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-51488 1Ampache 1Ampache Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users delete messages. This vulnerability could be expl...Show more Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing does not adequately validate CSRF tokens when users delete messages. This vulnerability could be exploited to forge CSRF attacks, allowing an attacker to delete messages to any user, including administrators, if they interact with a malicious request. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-51487 1Ampache 1Ampache Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 8.1 HIGH· v3 N/A· v2 Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating catalog. This vulnerability al...Show more Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating catalog. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change website features that should only be managed by administrators through malicious requests. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-51485 1Ampache 1Ampache Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 8.1 HIGH· v3 N/A· v2 Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability al...Show more Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change website features that should only be managed by administrators through malicious requests. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-51484 1Ampache 1Ampache Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 8.1 HIGH· v3 N/A· v2 Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerabilit...Show more Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change website features that should only be managed by administrators through malicious requests. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-51647 - - Jun 17, 2026 Nov 9, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Chaser324 Featured Posts Scroll allows Stored XSS.This issue affects Featured Posts Scroll: from n/a through 1.25.
CVE-2024-51630 - - Jun 17, 2026 Nov 9, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Lars Schenk Responsive Flickr Gallery responsive-flickr-gallery allows Stored XSS.This issue affects Responsive Flickr Gallery: from n/a through <= 1.3.1.
CVE-2024-52002 1Combodo 1Itop Jun 17, 2026 Nov 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue ha...Show more Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-51157 107fly 107flycms Jun 17, 2026 Nov 8, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://erp.07fly.net:80/oa/OaSchedule/add.html.
CVE-2024-50966 1Timgreen 1Dingfanzu Cms Jun 17, 2026 Nov 8, 2024 N/A· v4 9.3 CRITICAL· v3 N/A· v2 dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addAdmin.
CVE-2019-20460 - - Jun 17, 2026 Nov 7, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CS...Show more An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user.Show less
CVE-2020-11919 1Svakom 1Svakom Siime Eye Firmware Jun 17, 2026 Nov 7, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection.
CVE-2024-51382 1Jatos 1Jatos Jun 17, 2026 Nov 5, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in JATOS v3.9.3 allows an attacker to reset the administrator's password. This critical security flaw can result in unauthorized access to the platform, enabling attackers...Show more Cross-Site Request Forgery (CSRF) vulnerability in JATOS v3.9.3 allows an attacker to reset the administrator's password. This critical security flaw can result in unauthorized access to the platform, enabling attackers to hijack admin accounts and compromise the integrity and security of the system.Show less
CVE-2024-51381 1Jatos 1Jatos Jun 17, 2026 Nov 5, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in JATOS v3.9.3 that allows attackers to perform actions reserved for administrators, including creating admin accounts. This critical flaw can lead to unauthorized activit...Show more Cross-Site Request Forgery (CSRF) vulnerability in JATOS v3.9.3 that allows attackers to perform actions reserved for administrators, including creating admin accounts. This critical flaw can lead to unauthorized activities, compromising the security and integrity of the platform, especially if an attacker gains administrative control.Show less
CVE-2024-10711 1Ithemelandco 1Woocommerce Report Jun 17, 2026 Nov 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the settings update functionali...Show more The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-9689 1Shaon 1Post From Frontend Jun 17, 2026 Nov 5, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Post From Frontend WordPress plugin through 1.0.0 does not have CSRF check when deleting posts, which could allow attackers to make logged in admin perform such action via a CSRF attack
CVE-2024-31998 1Combodo 1Itop Jun 17, 2026 Nov 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no know...Show more Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-48057 1Mudler 1Localai Jun 17, 2026 Nov 4, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user access...Show more localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.Show less
CVE-2024-30617 1Chamilo 1Chamilo Lms Jun 17, 2026 Nov 4, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowled...Show more A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowledge.Show less
CVE-2024-41744 1Ibm 1Cics Tx Jun 17, 2026 Nov 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM CICS TX Standard 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Previous 1...137138139...466 Next