Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-20612 2Jenkins Oracle 2Communications Cloud Native Core Automated Test Suite Jenkins Jun 17, 2026 Jan 12, 2022 N/A· v4 4.3 MEDIUM· v3 2.6 LOW· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.
CVE-2021-41597 1Salesagility 1Suitecrm Jun 17, 2026 Jan 12, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVE-2021-37198 1Siemens 1Comos Jun 17, 2026 Jan 11, 2022 N/A· v4 8.8 HIGH· v3 5.1 MEDIUM· v2 A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web c...Show more A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS uses a flawed implementation of CSRF prevention. An attacker could exploit this vulnerability to perform cross-site request forgery attacks.Show less
CVE-2021-25053 1Wow Company 1Wp Coder Jun 17, 2026 Jan 10, 2022 N/A· v4 8.8 HIGH· v3 5.1 MEDIUM· v2 The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
CVE-2021-25052 1Wow Company 1Button Generator Jun 17, 2026 Jan 10, 2022 N/A· v4 8.8 HIGH· v3 5.1 MEDIUM· v2 The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
CVE-2021-25051 1Wow Company 1Modal Window Jun 17, 2026 Jan 10, 2022 N/A· v4 8.8 HIGH· v3 5.1 MEDIUM· v2 The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
CVE-2021-25032 1Publishpress 1Capabilities Jun 17, 2026 Jan 10, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook,...Show more The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.Show less
CVE-2021-46147 1Mediawiki 1Mediawiki Jun 17, 2026 Jan 10, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
CVE-2021-34086 1Ultimaker 3Ultimaker 3 Firmware Ultimaker S3 FirmwareUltimaker S5 Firmware Jun 17, 2026 Jan 10, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.
CVE-2021-46080 1Vehicle Service Management System Project 1Vehicle Service Management System Jun 17, 2026 Jan 6, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
CVE-2021-20165 1Trendnet 1Tew 827dru Firmware Jun 17, 2026 Dec 30, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Trendnet AC2600 TEW-827DRU version 2.08B01 does not properly implement csrf protections. Most pages lack proper usage of CSRF protections or mitigations. Additionally, pages that do make use of CSRF tokens are trivially...Show more Trendnet AC2600 TEW-827DRU version 2.08B01 does not properly implement csrf protections. Most pages lack proper usage of CSRF protections or mitigations. Additionally, pages that do make use of CSRF tokens are trivially bypassable as the server does not appear to validate them properly (i.e. re-using an old token or finding the token thru some other method is possible).Show less
CVE-2020-29292 1Iball 1Wrd12en Firmware Jun 17, 2026 Dec 30, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.
CVE-2020-21236 1Damicms 1Damicms Jun 17, 2026 Dec 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.
CVE-2020-20945 1Qibosoft 1Qibosoft Jun 17, 2026 Dec 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.
CVE-2020-20943 1Qibosoft 1Qibosoft Jun 17, 2026 Dec 27, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL.
CVE-2021-24988 1Wprssaggregator 1Wp Rss Aggregator Jun 17, 2026 Dec 27, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice...Show more The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.Show less
CVE-2021-4168 1Showdoc 1Showdoc Jun 17, 2026 Dec 26, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-4162 1Archivy Project 1Archivy Jun 17, 2026 Dec 25, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 archivy is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2020-20595 1Opms Project 1Opms Jun 17, 2026 Dec 22, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add.
CVE-2020-20593 1Rockoa 1Rockoa Jun 17, 2026 Dec 22, 2021 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account.

Previous 1...298299300...468 Next