Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-36877 1Stylemixthemes 1Ulisting Jun 17, 2026 Sep 27, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.
CVE-2021-36876 1Stylemixthemes 1Ulisting Jun 17, 2026 Sep 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages.
CVE-2021-36878 1Stylemixthemes 1Ulisting Jun 17, 2026 Sep 27, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.
CVE-2021-40108 1Concretecms 1Concrete Cms Jun 17, 2026 Sep 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint.
CVE-2021-3819 1Firefly Iii 1Firefly Iii Jun 17, 2026 Sep 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-31604 1Openvpn Monitor Project 1Openvpn Monitor Jun 17, 2026 Sep 27, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 furlongm openvpn-monitor through 1.1.3 allows CSRF to disconnect an arbitrary client.
CVE-2020-20514 1Maccms 1Maccms Jun 17, 2026 Sep 24, 2021 N/A· v4 8.1 HIGH· v3 4.9 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2020-19951 1Yzmcms 1Yzmcms Jun 17, 2026 Sep 23, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.
CVE-2021-29816 1Ibm 1Jazz For Service Management Jun 17, 2026 Sep 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user...Show more IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204341.Show less
CVE-2021-22953 1Concretecms 1Concrete Cms Jun 17, 2026 Sep 23, 2021 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"
CVE-2021-22950 1Concretecms 1Concrete Cms Jun 17, 2026 Sep 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"
CVE-2021-22949 1Concretecms 1Concrete Cms Jun 17, 2026 Sep 23, 2021 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"
CVE-2021-41083 1Dadamailproject 1Dada Mail Jun 17, 2026 Sep 20, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control p...Show more Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0.Show less
CVE-2021-24639 1Ffw 1Omgf Jun 17, 2026 Sep 20, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on...Show more The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.Show less
CVE-2021-24636 1Print My Blog Project 1Print My Blog Jun 17, 2026 Sep 20, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin...Show more The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious linkShow less
CVE-2021-24618 1Wbolt 1Donate With Qrcode Jun 17, 2026 Sep 20, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and ca...Show more The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.Show less
CVE-2021-24584 1Motopress 1Timetable And Event Schedule Jun 17, 2026 Sep 20, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot fr...Show more The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issuesShow less
CVE-2021-24583 1Motopress 1Timetable And Event Schedule Jun 17, 2026 Sep 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot fr...Show more The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capabilityShow less
CVE-2020-21321 1Emlog 1Emlog Jun 17, 2026 Sep 15, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 emlog v6.0 contains a Cross-Site Request Forgery (CSRF) via /admin/link.php?action=addlink, which allows attackers to arbitrarily add articles.
CVE-2021-40965 1Prasathmani 1Tiny File Manager Jun 17, 2026 Sep 15, 2021 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a U...Show more A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.Show less

Previous 1...306307308...468 Next