Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-39044 1Ibm 1Financial Transaction Manager Jun 17, 2026 Feb 2, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force...Show more IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 214210.Show less
CVE-2022-23601 1Sensiolabs 1Symfony Jun 17, 2026 Feb 1, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the...Show more Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.Show less
CVE-2021-25097 1Creativityjuice 1Labtools Jun 17, 2026 Feb 1, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication
CVE-2021-25092 1Ylefebvre 1Link Library Jun 17, 2026 Feb 1, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack
CVE-2021-25072 1Nextscripts 1Social Networks Auto Poster Jun 17, 2026 Feb 1, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack
CVE-2021-24763 1Getperfectsurvey 1Perfect Survey Jun 17, 2026 Feb 1, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the la...Show more The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any surveyShow less
CVE-2021-24761 1Bestwebsoft 1Error Log Viewer Jun 17, 2026 Feb 1, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary...Show more The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server.Show less
CVE-2022-23888 1Yzmcms 1Yzmcms Jun 17, 2026 Jan 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html.
CVE-2022-23887 1Yzmcms 1Yzmcms Jun 17, 2026 Jan 28, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete.
CVE-2021-22725 1Schneider Electric 6Evb1a Firmware Evc1s22p4 FirmwareEvc1s7p4 Firmware+3 more Jun 17, 2026 Jan 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests...Show more A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)Show less
CVE-2021-22724 1Schneider Electric 6Evb1a Firmware Evc1s22p4 FirmwareEvc1s7p4 Firmware+3 more Jun 17, 2026 Jan 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests...Show more A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)Show less
CVE-2021-44122 1Spip 1Spip Jun 17, 2026 Jan 26, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a m...Show more SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).Show less
CVE-2022-0335 1Moodle 1Moodle Jun 17, 2026 Jan 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSR...Show more A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.Show less
CVE-2022-0269 1Yetiforce 1Yetiforce Customer Relationship Management Jun 17, 2026 Jan 24, 2022 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.
CVE-2021-25073 1Webmaster Source 1Wp125 Jun 17, 2026 Jan 24, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
CVE-2021-25013 1Themeum 1Qubely Jun 17, 2026 Jan 24, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any au...Show more The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary postsShow less
CVE-2021-24989 1Wpplugin 1Accept Donations With Paypal Jun 17, 2026 Jan 24, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete...Show more The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blogShow less
CVE-2021-24968 1Etoilewebdesign 1Ultimate Faq Jun 17, 2026 Jan 24, 2022 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, a...Show more The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questionsShow less
CVE-2021-24936 1Wp Extra File Types Project 1Wp Extra File Types Jun 17, 2026 Jan 24, 2022 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform...Show more The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacksShow less
CVE-2021-24696 1Tipsandtricks Hq 1Simple Download Monitor Jun 17, 2026 Jan 24, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerabilit...Show more The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloadsShow less

Previous 1...296297298...468 Next