Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,360)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-0088 1Yourls 1Yourls Jun 17, 2026 Apr 3, 2022 N/A· v4 7.4 HIGH· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
CVE-2021-44312 1Firmware Analysis And Comparison Tool Project 1Firmware Analysis And Comparison Tool Jun 17, 2026 Mar 30, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page.
CVE-2022-27432 1Pluck Cms 1Pluck Jun 17, 2026 Mar 30, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover.
CVE-2022-28152 1Jenkins 1Job And Node Ownership Jun 17, 2026 Mar 29, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job.
CVE-2022-28150 1Jenkins 1Job And Node Ownership Jun 17, 2026 Mar 29, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and item-specific permissions of a job.
CVE-2022-28143 1Jenkins 1Proxmox Jun 17, 2026 Mar 29, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection...Show more A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.Show less
CVE-2022-28138 1Jenkins 1Rocketchat Notifier Jun 17, 2026 Mar 29, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential.
CVE-2022-28136 1Jenkins 1Jiratestresultreporter Jun 17, 2026 Mar 29, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
CVE-2022-0427 1Gitlab 1Gitlab Jun 17, 2026 Mar 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account t...Show more Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeoverShow less
CVE-2022-0833 1Church Admin Project 1Church Admin Jun 17, 2026 Mar 28, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action...Show more The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB dataShow less
CVE-2022-0770 1Gtranslate 1Translate Wordpress With Gtranslate Jun 17, 2026 Mar 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when...Show more The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or pageShow less
CVE-2022-0499 1Sermon Browser Project 1Sermon Browser Jun 17, 2026 Mar 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary fil...Show more The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.Show less
CVE-2021-24978 1B4after 1Osmapper Jun 17, 2026 Mar 28, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There i...Show more The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blogShow less
CVE-2022-25523 1Typesettercms 1Typesetter Jun 17, 2026 Mar 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
CVE-2021-46426 1Phpipam 1Phpipam Jun 17, 2026 Mar 25, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
CVE-2022-25576 1Anchorcms 1Anchor Cms Jun 17, 2026 Mar 24, 2022 N/A· v4 4.5 MEDIUM· v3 3.5 LOW· v2 Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.
CVE-2022-25268 1Passwork 1Passwork Jun 17, 2026 Mar 23, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Passwork On-Premise Edition before 4.6.13 allows CSRF via the groups, password, and history subsystems.
CVE-2022-25608 1Yooslider 1Yoo Slider Jun 17, 2026 Mar 23, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-Site Request Forgery (CSRF) in Yoo Slider – Image Slider & Video Slider (WordPress plugin) allows attackers to trick authenticated users into unwanted slider duplicate or delete action.
CVE-2021-43737 1Xiaohuanxiong Project 1Xiaohuanxiong Cms Jun 17, 2026 Mar 23, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issus was discovered in xiaohuanxiong CMS 5.0.17. There is a CSRF vulnerability that can modify administrator account's password.
CVE-2021-43738 1Xiaohuanxiong Cms Project 1Xiaohuanxiong Cms Jun 17, 2026 Mar 23, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in xiaohuanxiong CMS 5.0.17. There is a CSRF vulnerability that can that can add the administrator account.

Previous 1...291292293...468 Next