← Back
CWE-352

9,384 CVEs • Abstraction: Compound • Likelihood of Exploit: Medium

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JSON object

Loading...

CVEs (9,384)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Icmsdev
1Icms
Jun 17, 2026
Sep 20, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files.
1Jenkins
1Build Failure Analyzer
Jun 17, 2026
Sep 20, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to delete Failure Causes.
1Jenkins
1Build Failure Analyzer
Jun 17, 2026
Sep 20, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and pa...Show more
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.Show less
1Papercut
1Mobility Print Server
Jun 17, 2026
Sep 20, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery"...Show more
The `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc. Show less
1Ormazabal
2Ekorccp Firmware
Ekorrci Firmware
Jun 17, 2026
Sep 19, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Lack of device control over web requests in ekorCCP and ekorRCI, allowing an attacker to create customised requests to execute malicious actions when a user is logged in, affecting availability, privacy and integrity.
1Socomec
1Modulys Gp Firmware
Jun 17, 2026
Sep 18, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malic...Show more
Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application. Show less
1Usememos
1Memos
Jun 17, 2026
Sep 18, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.
1Grocy Project
1Grocy
Jun 17, 2026
Sep 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).
1Redhat
1Quay
Jun 17, 2026
Sep 15, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The c...Show more
A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).Show less
1Moosocial
1Moosocial
Jun 17, 2026
Sep 14, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.
1Mitel
1Connect Mobility Router
Jun 17, 2026
Sep 14, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient req...Show more
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.Show less
1Mitel
1Mivoice Connect
Jun 17, 2026
Sep 14, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient req...Show more
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.Show less
1Idehweb
1Login With Phone Number
Jun 17, 2026
Sep 13, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function....Show more
The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function. This makes it possible for unauthenticated attackers to change user password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Contact Manager App Project
1Contact Manager App
Jun 17, 2026
Sep 10, 2023
N/A· v4
8.8 HIGH· v3
5.0 MEDIUM· v2
A vulnerability was found in SourceCodester Contact Manager App 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file update.php. The manipulation leads to cross-site req...Show more
A vulnerability was found in SourceCodester Contact Manager App 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file update.php. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-239354 is the identifier assigned to this vulnerability.Show less
1Contact Manager App Project
1Contact Manager App
Jun 17, 2026
Sep 10, 2023
N/A· v4
8.8 HIGH· v3
5.0 MEDIUM· v2
A vulnerability was found in SourceCodester Contact Manager App 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file add.php. The manipulation leads to cross-si...Show more
A vulnerability was found in SourceCodester Contact Manager App 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file add.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239353 was assigned to this vulnerability.Show less
1Take Note App Project
1Take Note App
Jun 17, 2026
Sep 9, 2023
N/A· v4
8.8 HIGH· v3
5.0 MEDIUM· v2
A vulnerability has been found in SourceCodester Take-Note App 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated...Show more
A vulnerability has been found in SourceCodester Take-Note App 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239350 is the identifier assigned to this vulnerability.Show less
1Idreamsoft
1Icms
Jun 17, 2026
Sep 8, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF).
1Jenkins
1Frugal Testing
Jun 17, 2026
Sep 6, 2023
N/A· v4
3.5 LOW· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names fr...Show more
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.Show less
1Jenkins
1Aws Codecommit Trigger
Jun 17, 2026
Sep 6, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue.
1Jenkins
1Ivy
Jun 17, 2026
Sep 6, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules.