← Back
CWE-352

9,334 CVEs • Abstraction: Compound • Likelihood of Exploit: Medium

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JSON object

Loading...

CVEs (9,334)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2024-40332
1Idccms
1Idccms
Jun 17, 2026
Jul 10, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/moneyRecord_deal.php?mudi=delRecord
CVE-2024-40331
1Idccms
1Idccms
Jun 17, 2026
Jul 10, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/dbBakMySQL_deal.php?mudi=backup
CVE-2024-40334
1Idccms
1Idccms
Jun 17, 2026
Jul 10, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/serverFile_deal.php?mudi=upFileDel&dataID=3
CVE-2024-40329
1Idccms
1Idccms
Jun 17, 2026
Jul 10, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/softBak_deal.php?mudi=backup
CVE-2024-40328
1Idccms
1Idccms
Jun 17, 2026
Jul 10, 2024
N/A· v4
6.3 MEDIUM· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/memberOnline_deal.php?mudi=del&dataType=&dataID=6
CVE-2024-28828
1Checkmk
1Checkmk
Jun 17, 2026
Jul 10, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click compromize of the site.
CVE-2024-3798
-
-
Jun 17, 2026
Jul 10, 2024
8.7 HIGH· v4
N/A· v3
N/A· v2
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malici...Show more
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable.  Phoniebox in version 3.0 and higher are not affected.Show less
CVE-2024-36452
1Webmin
1Webmin
Jun 17, 2026
Jul 10, 2024
N/A· v4
3.1 LOW· v3
N/A· v2
Cross-site request forgery vulnerability exists in ajaxterm module of Webmin versions prior to 2.003. If this vulnerability is exploited, unintended operations may be performed when a user views a malicious page while lo...Show more
Cross-site request forgery vulnerability exists in ajaxterm module of Webmin versions prior to 2.003. If this vulnerability is exploited, unintended operations may be performed when a user views a malicious page while logged in. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted.Show less
CVE-2024-39063
1Limesurvey
1Limesurvey
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
CVE-2024-40039
1Idccms Project
1Idccms
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userGroup_deal.php?mudi=del
CVE-2024-40038
1Idccms
1Idccms
Jun 17, 2026
Jul 9, 2024
N/A· v4
5.3 MEDIUM· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userScore_deal.php?mudi=rev
CVE-2024-40037
1Idccms Project
1Idccms
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userScore_deal.php?mudi=del
CVE-2024-40035
1Idccms
1Idccms
Jun 17, 2026
Jul 9, 2024
N/A· v4
5.9 MEDIUM· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userLevel_deal.php?mudi=add.
CVE-2024-40034
1Idccms Project
1Idccms
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userLevel_deal.php?mudi=del
CVE-2024-27783
1Fortinet
1Fortiaiops
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
Multiple cross-site request forgery (CSRF) weaknesses [CWE-352] vulnerability in Fortinet FortiAIOps 2.0.0 may allow an unauthenticated remote attacker to perform arbitrary actions on behalf of an authenticated user via...Show more
Multiple cross-site request forgery (CSRF) weaknesses [CWE-352] vulnerability in Fortinet FortiAIOps 2.0.0 may allow an unauthenticated remote attacker to perform arbitrary actions on behalf of an authenticated user via tricking the victim to execute malicious GET requests.Show less
CVE-2024-6168
-
-
Jun 17, 2026
Jul 9, 2024
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on several AJAX function. This mak...Show more
The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on several AJAX function. This makes it possible for unauthenticated attackers to invoke this functionality intended for admin users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This enables subscribers to manage field groups, change visibility of items among other things.Show less
CVE-2024-4100
-
-
Jun 17, 2026
Jul 9, 2024
N/A· v4
5.3 MEDIUM· v3
N/A· v2
The Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the ajax() function. This makes it p...Show more
The Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the ajax() function. This makes it possible for unauthenticated attackers to perform a variety of actions related to managing pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-6321
-
-
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.1.1. This is due to missing nonce validation and missing file type validat...Show more
The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.1.1. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-6320
-
-
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.2.2. This is due to missing nonce validation and missing file type validation...Show more
The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.2.2. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-6317
1Zealousweb
1Generate Pdf Using Contact Form 7
Jun 17, 2026
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. This is due to missing nonce validation and the plu...Show more
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less