Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-23404 1Sqlite Web Project 1Sqlite Web Jun 17, 2026 Sep 8, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick...Show more This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack.Show less
CVE-2021-38705 1Cliniccases 1Cliniccases Jun 17, 2026 Sep 7, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). A successful attack would consist of an authenticated user following a malicious link, resulting in arbitrary actions being carried out with the privile...Show more ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). A successful attack would consist of an authenticated user following a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. This can be exploited to create a secondary administrator account for the attacker.Show less
CVE-2021-39197 1Better Errors Project 1Better Errors Jun 17, 2026 Sep 7, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 di...Show more better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.Show less
CVE-2021-37725 2Arubanetworks Siemens 3Arubaos Scalance W1750d FirmwareSd Wan Jun 17, 2026 Sep 7, 2021 N/A· v4 8.1 HIGH· v3 8.8 HIGH· v2 A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.8.0.1, 8.7.1.2, 8.6.0.8, 8.5...Show more A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.8.0.1, 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.Show less
CVE-2019-5318 2Arubanetworks Siemens 2Arubaos Scalance W1750d Firmware Jun 17, 2026 Sep 7, 2021 N/A· v4 6.5 MEDIUM· v3 7.1 HIGH· v2 A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS...Show more A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS that address this security vulnerability.Show less
CVE-2021-24611 1Keyword Meta Project 1Keyword Meta Jun 17, 2026 Sep 6, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacki...Show more The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.Show less
CVE-2020-20343 1Wtcms Project 1Wtcms Jun 17, 2026 Sep 1, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 WTCMS 1.0 contains a cross-site request forgery (CSRF) vulnerability in the index.php?g=admin&m=nav&a=add_post component that allows attackers to arbitrarily add articles in the administrator background.
CVE-2021-21679 1Jenkins 1Azure Ad Jun 17, 2026 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
CVE-2021-21678 1Jenkins 1Saml Jun 17, 2026 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
CVE-2020-19047 1Iwebshop 1Iwebshop Jun 17, 2026 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'.
CVE-2021-27557 1Easycorp 1Zentao Jun 17, 2026 Aug 31, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job.
CVE-2021-39133 1Pagerduty 1Rundeck Jun 17, 2026 Aug 30, 2021 N/A· v4 6.8 MEDIUM· v3 6.0 MEDIUM· v2 Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnera...Show more Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.Show less
CVE-2021-38342 1Kylephillips 1Nested Pages Jun 17, 2026 Aug 30, 2021 N/A· v4 8.1 HIGH· v3 4.3 MEDIUM· v2 The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently purge arbitrary post...Show more The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the `npBulkAction`s and `npBulkEdit` `admin_post` actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata.Show less
CVE-2021-32991 1Deltaww 1Diaenergie Jun 17, 2026 Aug 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally.
CVE-2020-18124 1Indexhibit 1Indexhibit Jun 17, 2026 Aug 30, 2021 N/A· v4 5.7 MEDIUM· v3 4.0 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords.
CVE-2020-18123 1Indexhibit 1Indexhibit Jun 17, 2026 Aug 30, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily delete admin accounts.
CVE-2021-24581 1Blue Admin Project 1Blue Admin Jun 17, 2026 Aug 30, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSR...Show more The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.Show less
CVE-2021-40174 1Zohocorp 1Manageengine Log360 Jun 17, 2026 Aug 29, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
CVE-2021-40173 1Zohocorp 1Manageengine Cloud Security Plus Jun 17, 2026 Aug 29, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.
CVE-2021-40172 1Zohocorp 1Manageengine Log360 Jun 17, 2026 Aug 29, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.

Previous 1...308309310...468 Next