Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-35972 1Yzmcms 1Yzmcms Jun 17, 2026 Jun 3, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html.
CVE-2020-10771 3Infinispan NetappRedhat 3Data Grid Infinispan Server RestOncommand Insight Jun 17, 2026 Jun 2, 2021 N/A· v4 7.1 HIGH· v3 5.8 MEDIUM· v2 A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) atta...Show more A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.Show less
CVE-2021-24333 1Content Copy Protection & Prevent Image Save Project 1Content Copy Protection & Prevent Image Save Jun 17, 2026 Jun 1, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in...Show more The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.Show less
CVE-2021-24328 1Clogica 1Wp Login Security And History Jun 17, 2026 Jun 1, 2021 N/A· v4 6.2 MEDIUM· v3 3.5 LOW· v2 The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators cha...Show more The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as wellShow less
CVE-2020-26641 1Idreamsoft 1Icms Jun 17, 2026 May 28, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts.
CVE-2019-14836 1Redhat 13scale Jun 17, 2026 May 26, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks.
CVE-2021-26034 1Joomla 1Joomla Jun 17, 2026 May 26, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo.
CVE-2021-26033 1Joomla 1Joomla Jun 17, 2026 May 26, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint.
CVE-2021-20096 1Lucyparsonslabs 1Openoversight Jun 17, 2026 May 25, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 Cross-site request forgery in OpenOversight 0.6.4 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-25411 1Online Examination System Project 1Online Examination System Jun 17, 2026 May 24, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Projectworlds Online Examination System 1.0 is vulnerable to CSRF, which allows a remote attacker to delete the existing user.
CVE-2020-25408 1College Management System Project 1College Management System Jun 17, 2026 May 24, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject,...Show more A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, and article data.Show less
CVE-2021-21549 1Dell 1Xtremio Management Server Jun 17, 2026 May 21, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Request Forgery Vulnerability in XMS. A non-privileged attacker could potentially exploit this vulnerability, leading to a privileged victim application us...Show more Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Request Forgery Vulnerability in XMS. A non-privileged attacker could potentially exploit this vulnerability, leading to a privileged victim application user being tricked into sending state-changing requests to the vulnerable application, causing unintended server operations.Show less
CVE-2021-32632 1Pajbot 1Pajbot Jun 17, 2026 May 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add o...Show more Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add one modern dependency.Show less
CVE-2021-25931 1Opennms 2Horizon Meridian Jun 17, 2026 May 20, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian...Show more In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.Show less
CVE-2021-25930 1Opennms 2Horizon Meridian Jun 17, 2026 May 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian...Show more In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.Show less
CVE-2021-29624 1Fastify 1Fastify Csrf Jun 17, 2026 May 19, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deploye...Show more fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.Show less
CVE-2020-24740 1Pluck Cms 1Pluck Jun 17, 2026 May 18, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage
CVE-2020-18198 1Pluck Cms 1Pluck Jun 17, 2026 May 17, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-18195 1Pluck Cms 1Pluck Jun 17, 2026 May 17, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2021-24324 1Clogica 1All 404 Redirect To Homepage Jun 17, 2026 May 17, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in s...Show more The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issuesShow less

Previous 1...314315316...468 Next