Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-21126 1Metinfo 1Metinfo Jun 17, 2026 Sep 15, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
CVE-2021-39209 1Glpi Project 1Glpi Jun 17, 2026 Sep 15, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious ac...Show more GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.Show less
CVE-2020-19159 1Laiketui 1Laiketui Jun 17, 2026 Sep 15, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'.
CVE-2021-23026 1F5 15Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Advanced Web Application Firewall+12 more Jun 17, 2026 Sep 14, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site...Show more BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2020-21081 1Maccms 1Maccms Jun 17, 2026 Sep 14, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) in Maccms 8.0 causes administrators to add and modify articles without their knowledge via clicking on a crafted URL.
CVE-2021-23050 1F5 3Big Ip Advanced Web Application Firewall Big Ip Application Security ManagerNginx App Protect Jun 17, 2026 Sep 14, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a...Show more On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2021-37201 1Siemens 1Sinec Network Management System Jun 17, 2026 Sep 14, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This could allow an attacker to manipulate th...Show more A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This could allow an attacker to manipulate the SINEC NMS configuration by tricking an unsuspecting user with administrative privileges to click on a malicious link.Show less
CVE-2021-39124 1Atlassian 2Data Center Jira Jun 17, 2026 Sep 14, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF prote...Show more The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.Show less
CVE-2020-20671 1Kitesky 1Kitecms Jun 17, 2026 Sep 13, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account.
CVE-2021-24725 1Quantumcloud 1Comment Link Remove And Other Comment Tools Jun 17, 2026 Sep 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments
CVE-2021-24620 1Simple E Commerce Shopping Cart Project 1Simple E Commerce Shopping Cart Jun 17, 2026 Sep 13, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by a...Show more The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCEShow less
CVE-2021-24586 1Evona 1Per Page Add To Head Jun 17, 2026 Sep 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HT...Show more The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.Show less
CVE-2021-24491 1Fileviewer Project 1Fileviewer Jun 17, 2026 Sep 13, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitr...Show more The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attackShow less
CVE-2021-24490 1Email Artillery Project 1Email Artillery Jun 17, 2026 Sep 13, 2021 N/A· v4 6.8 MEDIUM· v3 6.0 MEDIUM· v2 The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking an...Show more The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IISShow less
CVE-2021-24431 1Language Bar Flags Project 1Language Bar Flags Jun 17, 2026 Sep 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers...Show more The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all usersShow less
CVE-2020-19280 1Jeesns 1Jeesns Jun 17, 2026 Sep 9, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.
CVE-2020-19268 1Dswjcms Project 1Dswjcms Jun 17, 2026 Sep 9, 2021 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 A cross-site request forgery (CSRF) in index.php/Dswjcms/User/tfAdd of Dswjcms 1.6.4 allows authenticated attackers to arbitrarily add administrator users.
CVE-2020-19264 1Mipcms 1Mipcms Jun 17, 2026 Sep 9, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd.
CVE-2020-19263 1Mipcms 1Mipcms Jun 17, 2026 Sep 9, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily escalate user privileges to administrator via index.php?s=/user/ApiAdminUser/itemEdit.
CVE-2021-38721 1Thedaylightstudio 1Fuel Cms Jun 17, 2026 Sep 9, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability

Previous 1...307308309...468 Next