Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,362)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-38086 1Getshortcodes 1Shortcodes Ultimate Jun 17, 2026 Oct 11, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change.
CVE-2021-36915 1Cozmoslabs 1Profile Builder Jun 17, 2026 Oct 11, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.
CVE-2022-32175 1Adguard 1Adguardhome Jun 17, 2026 Oct 11, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious lin...Show more In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules.Show less
CVE-2022-40180 1Siemens 10Desigo Pxm30 1 Firmware Desigo Pxm30.e FirmwareDesigo Pxm40 1 Firmware+7 more Jun 17, 2026 Oct 11, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions <...Show more A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). A Cross-Site Request Forgery exists in the “Import Files“ functionality of the “Operation” web application due to the missing validation of anti-CSRF tokens or other origin checks. A remote unauthenticated attacker can upload and enable permanent arbitrary JavaScript code into the device just by convincing a victim to visit a specifically crafted webpage while logged-in to the device web application.Show less
CVE-2022-40179 1Siemens 10Desigo Pxm30 1 Firmware Desigo Pxm30.e FirmwareDesigo Pxm40 1 Firmware+7 more Jun 17, 2026 Oct 11, 2022 N/A· v4 8.1 HIGH· v3 N/A· v2 A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions <...Show more A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). A Cross-Site Request Forgery exists in endpoints of the “Operation” web application that interpret and execute Axon language queries, due to the missing validation of anti-CSRF tokens or other origin checks. By convincing a victim to click on a malicious link or visit a specifically crafted webpage while logged-in to the device web application, a remote unauthenticated attacker can execute arbitrary Axon queries against the device.Show less
CVE-2022-3208 1Simplefilelist 1Simple File List Jun 17, 2026 Oct 10, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.
CVE-2022-3154 3Integration For Billingo & Gravity Forms Project Integration For Szamlazz.hu & Gravity Forms ProjectWoo Billingo Plus Project 3Integration For Billingo & Gravity Forms Integration For Szamlazz.hu & Gravity FormsWoo Billingo Plus Jun 17, 2026 Oct 10, 2022 N/A· v4 7.1 HIGH· v3 N/A· v2 The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF ch...Show more The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's licenseShow less
CVE-2022-2350 1Brainvire 1Disable User Login Jun 17, 2026 Oct 10, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will.
CVE-2022-22493 1Ibm 1Websphere Automation For Ibm Cloud Pak For Watson Aiops Jun 17, 2026 Oct 7, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM WebSphere Automation for Cloud Pak for Watson AIOps 1.4.2 is vulnerable to cross-site request forgery, caused by improper cookie attribute setting. IBM X-Force ID: 226449.
CVE-2022-2986 1Moodle 1Moodle Jun 17, 2026 Oct 6, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
CVE-2022-2783 1Octopus 1Octopus Server Jun 17, 2026 Oct 6, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
CVE-2022-2839 1Zephyr One 1Zephyr Project Manager Jun 17, 2026 Oct 3, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furtherm...Show more The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.Show less
CVE-2022-39268 1Orchest 1Orchest Jun 17, 2026 Sep 30, 2022 N/A· v4 8.1 HIGH· v3 N/A· v2 ### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent clien...Show more ### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.ioShow less
CVE-2021-36855 1Bookingultrapro 1Booking Ultra Pro Appointments Booking Calendar Jun 17, 2026 Sep 30, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
CVE-2021-36854 1Bookingultrapro 1Booking Ultra Pro Appointments Booking Calendar Jun 17, 2026 Sep 30, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
CVE-2020-35675 1Bigprof 1Online Invoicing System Jun 17, 2026 Sep 29, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection...Show more BigProf Online Invoicing System before 3.0 offers a functionality that allows an administrator to move the records of members across groups. The applicable endpoint (admin/pageTransferOwnership.php) lacks CSRF protection, resulting in an attacker being able to escalate their privileges to Administrator and effectively taking over the application.Show less
CVE-2022-3057 2Fedoraproject Google 2Chrome Fedora Jun 17, 2026 Sep 26, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2022-3119 1Oauth Client Single Sign On Project 1Oauth Client Single Sign On Jun 17, 2026 Sep 26, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to...Show more The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email addressShow less
CVE-2022-3098 1Gunkastudios 1Login Block Ips Jun 17, 2026 Sep 26, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Login Block IPs WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2022-3025 1Bitcoin/altcoin Faucet Project 1Bitcoin/altcoin Faucet Jun 17, 2026 Sep 26, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack o...Show more The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issuesShow less

Previous 1...272273274...469 Next