Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-28280 1Php Fusion 1Phpfusion Jun 17, 2026 Apr 29, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML
CVE-2020-22000 1Homeautomation Project 1Homeautomation Jun 17, 2026 Apr 27, 2021 N/A· v4 8.0 HIGH· v3 8.5 HIGH· v2 HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user...Show more HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function.Show less
CVE-2020-21989 1Homeautomation Project 1Homeautomation Jun 17, 2026 Apr 27, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. Th...Show more HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Show less
CVE-2021-31762 1Webmin 1Webmin Jun 17, 2026 Apr 25, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
CVE-2021-31760 1Webmin 1Webmin Jun 17, 2026 Apr 25, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
CVE-2021-31584 1Sipwise 1Next Generation Communication Platform Jun 17, 2026 Apr 23, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Sipwise C5 NGCP www_csc version 3.6.4 up to and including platform NGCP CE mr3.8.13 allows call/click2dial CSRF attacks for actions with administrative privileges.
CVE-2021-21644 1Jenkins 1Config File Provider Jun 17, 2026 Apr 21, 2021 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.
CVE-2021-27181 1Altn 1Mdaemon Jun 17, 2026 Apr 14, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided b...Show more An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the value of the anti-CSRF token, the attacker may trick the user into visiting his malicious page and performing any request with the privileges of attacked user.Show less
CVE-2021-31152 1Multilaser 1Ac1200 Re018 Firmware Jun 17, 2026 Apr 14, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. An attacker can enable remote access, change passwords, and perform other actions through misconfigured requests, entri...Show more Multilaser Router AC1200 V02.03.01.45_pt contains a cross-site request forgery (CSRF) vulnerability. An attacker can enable remote access, change passwords, and perform other actions through misconfigured requests, entries, and headers.Show less
CVE-2021-29436 1Anuko 1Time Tracker Jun 17, 2026 Apr 13, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that...Show more Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In Time Tracker before version 1.19.27.5431 a Cross site request forgery (CSRF) vulnerability existed. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password. The vulnerability is fixed in Time Tracker version 1.19.27.5431. Upgrade is recommended. If upgrade is not practical, introduce ttMitigateCSRF() function in /WEB-INF/lib/common.php.lib using the latest available code and call it from ttAccessAllowed().Show less
CVE-2021-29435 1Trestle Auth Project 1Trestle Auth Jun 17, 2026 Apr 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when...Show more trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials. The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.Show less
CVE-2021-21731 1Zte 1Zxcloud Irai Jun 17, 2026 Apr 13, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a...Show more A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data. This affects: ZXCLOUD iRAI All versions up to KVM-ProductV6.03.04Show less
CVE-2021-21729 1Zte 2Zxhn H108n Firmware Zxhn H168n Firmware Jun 17, 2026 Apr 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Some ZTE products have CSRF vulnerability. Because some pages lack CSRF random value verification, attackers could perform illegal authorization operations by constructing messages.This affects: ZXHN H168N V3.5.0_EG1T5_T...Show more Some ZTE products have CSRF vulnerability. Because some pages lack CSRF random value verification, attackers could perform illegal authorization operations by constructing messages.This affects: ZXHN H168N V3.5.0_EG1T5_TE, V2.5.5, ZXHN H108N V2.5.5_BTMT1Show less
CVE-2021-29054 1Papoo 1Papoo Jun 17, 2026 Apr 13, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Certain Papoo products are affected by: Cross Site Request Forgery (CSRF) in the admin interface. This affects Papoo CMS Light through 21.02 and Papoo CMS Pro through 6.0.1. The impact is: gain privileges (remote).
CVE-2021-24231 1Patreon 1Patreon Wordpress Jun 17, 2026 Apr 12, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a s...Show more The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link.Show less
CVE-2021-24230 1Patreon 1Patreon Wordpress Jun 17, 2026 Apr 12, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the vic...Show more The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.Show less
CVE-2021-24218 1Facebook 1Facebook Jun 17, 2026 Apr 12, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings...Show more The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.Show less
CVE-2021-25327 1Skyworthdigital 1Rn510 Firmware Jun 17, 2026 Apr 9, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as...Show more Skyworth Digital Technology RN510 V.3.1.0.4 contains a cross-site request forgery (CSRF) vulnerability in /cgi-bin/net-routeadd.asp and /cgi-bin/sec-urlfilter.asp. Missing CSRF protection in devices can lead to XSRF, as the above pages are vulnerable to cross-site scripting (XSS).Show less
CVE-2021-25326 1Skyworthdigital 1Rn510 Firmware Jun 17, 2026 Apr 9, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web...Show more Skyworth Digital Technology RN510 V.3.1.0.4 is affected by an incorrect access control vulnerability in/cgi-bin/test_version.asp. If Wi-Fi is connected but an unauthenticated user visits a URL, the SSID password and web UI password may be disclosed.Show less
CVE-2020-21884 1Indionetworks 5Unibox U1000 Firmware Unibox U2500 FirmwareUnibox U5000 Firmware+2 more Jun 17, 2026 Apr 9, 2021 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?...Show more Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device.Show less

Previous 1...316317318...468 Next