Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-3734 1Yourls 1Yourls Jun 17, 2026 Aug 26, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames
CVE-2021-28070 1Popojicms 1Popojicms Jun 17, 2026 Aug 25, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exist in PopojiCMS 2.0.1 in po-admin/route.php?mod=user&act=multidelete.
CVE-2020-18917 1Dedecms 1Dedecms Jun 17, 2026 Aug 24, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.
CVE-2021-23431 1Joplinapp 1Joplin Jun 17, 2026 Aug 24, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
CVE-2021-3730 1Firefly Iii 1Firefly Iii Jun 17, 2026 Aug 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-3729 1Firefly Iii 1Firefly Iii Jun 17, 2026 Aug 23, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-3728 1Firefly Iii 1Firefly Iii Jun 17, 2026 Aug 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-24565 1Contact Form 7 Captcha Project 1Contact Form 7 Captcha Jun 17, 2026 Aug 23, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the se...Show more The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.Show less
CVE-2021-24555 1Roosty 1Diary Availability Calendar Jun 17, 2026 Aug 23, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to...Show more The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.Show less
CVE-2021-39243 1Altus 15Hadron Xtorm Hx3040 Firmware Nexto Nx3003 FirmwareNexto Nx3004 Firmware+12 more Jun 17, 2026 Aug 23, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0...Show more Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.Show less
CVE-2020-24130 1Ponzu Cms 1Ponzu Jun 17, 2026 Aug 20, 2021 N/A· v4 8.1 HIGH· v3 4.3 MEDIUM· v2 A cross site request forgery (CSRF) vulnerability in the configure.html component of Ponzu 0.11.0 allows attackers to change user and administrator credentials, and add or delete administrator accounts.
CVE-2021-28490 1Owasp 1Csrfguard Jun 17, 2026 Aug 19, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token.
CVE-2020-20642 1Eyoucms 1Eyoucms Jun 17, 2026 Aug 19, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn.
CVE-2021-34645 1Wpeasycart 1Shopping Cart & Ecommerce Store Jun 17, 2026 Aug 19, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows atta...Show more The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.Show less
CVE-2020-19669 1Eyoucms 1Eyoucms Jun 17, 2026 Aug 18, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.
CVE-2021-20758 1Cybozu 1Garoon Jun 17, 2026 Aug 18, 2021 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to hijack the authentication of administrators and perform an arbitrary operation via unsp...Show more Cross-site request forgery (CSRF) vulnerability in Message of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to hijack the authentication of administrators and perform an arbitrary operation via unspecified vectors.Show less
CVE-2020-28846 1Seacms 1Seacms Jun 17, 2026 Aug 17, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account.
CVE-2020-4992 1Ibm 1Datapower Gateway Jun 17, 2026 Aug 17, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts...Show more IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.16 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 192737.Show less
CVE-2021-24536 1Custom Login Redirect Project 1Custom Login Redirect Jun 17, 2026 Aug 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored C...Show more The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issueShow less
CVE-2021-24535 1Light Messages Project 1Light Messages Jun 17, 2026 Aug 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker co...Show more The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend.Show less

Previous 1...309310311...468 Next