Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-20580 1Ibm 1Planning Analytics Jun 17, 2026 Jun 29, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force...Show more IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 198241.Show less
CVE-2021-20102 1Machform 1Machform Jun 17, 2026 Jun 29, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Machform prior to version 16 is vulnerable to cross-site request forgery due to a lack of CSRF tokens in place.
CVE-2020-18648 1Juqingcms 1Juqingcms Jun 17, 2026 Jun 22, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in JuQingCMS v1.0 allows remote attackers to gain local privileges via the component "JuQingCMS_v1.0/admin/index.php?c=administrator&a=add".
CVE-2021-34244 1Icehrm 1Icehrm Jun 17, 2026 Jun 22, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
CVE-2020-20468 1White Shark Systems Project 1White Shark Systems Jun 17, 2026 Jun 21, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
CVE-2021-32424 1Trendnet 1Tw100 S4w1ca Firmware Jun 17, 2026 Jun 17, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact...Show more In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.Show less
CVE-2020-36389 1Civicrm 1Civicrm Jun 17, 2026 Jun 17, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2020-35759 1Bloofox 1Bloofoxcms Jun 17, 2026 Jun 16, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely).
CVE-2021-24349 1Gallery From Files Project 1Gallery From Files Jun 17, 2026 Jun 14, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid...Show more This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.Show less
CVE-2020-13663 1Drupal 1Drupal Jun 17, 2026 Jun 11, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
CVE-2021-34547 1Paessler 1Prtg Network Monitor Jun 17, 2026 Jun 10, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation.
CVE-2021-31659 1Tp Link 2Tl Sg2005 Firmware Tl Sg2008 Firmware Jun 17, 2026 Jun 10, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication inform...Show more TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication information. A malicious link opened by the switch administrator may cause the password of the switch to be modified and the configuration file to be tampered with.Show less
CVE-2021-21665 1Jenkins 1Xebialabs Xl Deploy Jun 17, 2026 Jun 10, 2021 N/A· v4 8.8 HIGH· v3 6.0 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained throug...Show more A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password credentials stored in Jenkins.Show less
CVE-2021-32677 2Fedoraproject Tiangolo 2Fastapi Fedora Jun 17, 2026 Jun 9, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads se...Show more FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.Show less
CVE-2021-29995 1Cloverdx 1Cloverdx Jun 17, 2026 Jun 9, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5....Show more A Cross Site Request Forgery (CSRF) issue in Server Console in CloverDX through 5.9.0 allows remote attackers to execute any action as the logged-in user (including script execution). The issue is resolved in CloverDX 5.10, CloverDX 5.9.1, CloverDX 5.8.2, and CloverDX 5.7.1.Show less
CVE-2021-26474 1Vembu 2Bdr Suite Offsite Dr Jun 17, 2026 Jun 8, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.)
CVE-2020-26516 1Intland 1Codebeamer Jun 17, 2026 Jun 8, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A CSRF issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Requests sent to the server that trigger actions do not contain a CSRF token and can therefore be entirely predicted allowing attackers to caus...Show more A CSRF issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Requests sent to the server that trigger actions do not contain a CSRF token and can therefore be entirely predicted allowing attackers to cause the victim's browser to execute undesired actions in the web application through crafted requests.Show less
CVE-2020-18265 1Simple Log Project 1Simple Log Jun 17, 2026 Jun 7, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote attackers to gain privilege and execute arbitrary code via the component "Simple-Log/admin/admin.php?act=act_add_member".
CVE-2020-18264 1Simple Log Project 1Simple Log Jun 17, 2026 Jun 7, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote attackers to gain privilege and execute arbitrary code via the component "Simple-Log/admin/admin.php?act=act_edit_member".
CVE-2020-36140 1Bloofox 1Bloofoxcms Jun 17, 2026 Jun 4, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely).

Previous 1...313314315...468 Next