Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-3901 1Firefly Iii 1Firefly Iii Jun 17, 2026 Oct 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-3900 1Firefly Iii 1Firefly Iii Jun 17, 2026 Oct 27, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-41176 1Pterodactyl 1Panel Jun 17, 2026 Oct 25, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website th...Show more Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. No user details are leaked, nor is any user data affected, this is simply an annoyance at worst. This is fixed in version 1.6.3.Show less
CVE-2021-24884 1Strategy11 1Formidable Form Builder Jun 17, 2026 Oct 25, 2021 N/A· v4 9.6 CRITICAL· v3 6.8 MEDIUM· v2 The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection b...Show more The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.Show less
CVE-2021-24779 1Wp Debugging Project 1Wp Debugging Jun 17, 2026 Oct 25, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users.
CVE-2021-24543 1Jquery Reply To Comment Project 1Jquery Reply To Comment Jun 17, 2026 Oct 25, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, l...Show more The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue.Show less
CVE-2021-24487 1Sanskruti 1St Daily Tip Jun 17, 2026 Oct 25, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it...Show more The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issueShow less
CVE-2021-20120 1Commscope 1Arris Surfboard Sb8200 Firmware Jun 17, 2026 Oct 21, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The administration web interface for the Arris Surfboard SB8200 lacks any protections against cross-site request forgery attacks. This means that an attacker could make configuration changes (such as changing the adminis...Show more The administration web interface for the Arris Surfboard SB8200 lacks any protections against cross-site request forgery attacks. This means that an attacker could make configuration changes (such as changing the administrative password) without the consent of the user.Show less
CVE-2021-39126 1Atlassian 2Jira Data Center Jira Server Jun 17, 2026 Oct 21, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in th...Show more Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.Show less
CVE-2021-34743 1Cisco 1Webex Meetings Jun 17, 2026 Oct 21, 2021 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without th...Show more A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile.Show less
CVE-2021-42097 2Debian Gnu 2Debian Linux Mailman Jun 17, 2026 Oct 21, 2021 N/A· v4 8.0 HIGH· v3 8.5 HIGH· v2 GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then us...Show more GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).Show less
CVE-2021-21745 1Zte 1Mf971r Firmware Jun 17, 2026 Oct 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to cli...Show more ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.Show less
CVE-2021-3858 1Snipeitapp 1Snipe It Jun 17, 2026 Oct 19, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-38480 1Inhandnetworks 1Ir615 Firmware Jun 17, 2026 Oct 19, 2021 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker...Show more InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router’s management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router.Show less
CVE-2021-24752 1Catchplugins 10Catch Scroll Progress Bar Catch Sticky MenuCatch Themes Demo Import+7 more Jun 17, 2026 Oct 18, 2021 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPres...Show more Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations.Show less
CVE-2021-24735 1Tipsandtricks Hq 1Compact Wp Audio Player Jun 17, 2026 Oct 18, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.
CVE-2021-24675 1Onedesigns 1One User Avatar Jun 17, 2026 Oct 18, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avata...Show more The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attackShow less
CVE-2021-24642 1Scroll Banner Project 1Scroll Banner Jun 17, 2026 Oct 18, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin c...Show more The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE (via a file upload) as well as XSSShow less
CVE-2021-24615 1Wechat Reward Project 1Wechat Reward Jun 17, 2026 Oct 18, 2021 N/A· v4 5.4 MEDIUM· v3 4.3 MEDIUM· v2 The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripti...Show more The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks.Show less
CVE-2021-24595 1Wp Cookie Choice Project 1Wp Cookie Choice Jun 17, 2026 Oct 18, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin chan...Show more The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack.Show less

Previous 1...304305306...468 Next