Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-21633 1Jenkins 1Owasp Dependency Track Jun 17, 2026 Mar 30, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
CVE-2021-21629 1Jenkins 1Build With Parameters Jun 17, 2026 Mar 30, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.
CVE-2020-19639 1Insma 1Wifi Mini Spy 1080p Hd Security Ip Camera Firmware Jun 17, 2026 Mar 30, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B, via all fields to WebUI.
CVE-2020-36283 1Hidglobal 2Omnikey 5127 Firmware Omnikey 5427 Firmware Jun 17, 2026 Mar 24, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malf...Show more HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.Show less
CVE-2021-26216 1Seeddms 1Seeddms Jun 17, 2026 Mar 18, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php.
CVE-2021-26215 1Seeddms 1Seeddms Jun 17, 2026 Mar 18, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php.
CVE-2021-24133 1Activecampaign 1Activecampaign Jun 17, 2026 Mar 18, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
CVE-2021-21627 1Jenkins 1Libvirt Agents Jun 17, 2026 Mar 18, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.
CVE-2020-29553 1Getgrav 1Grav Cms Jun 17, 2026 Mar 15, 2021 N/A· v4 8.8 HIGH· v3 5.1 MEDIUM· v2 The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website (CSRF).
CVE-2020-24982 1Quadbase 1Espressdashboard Jun 17, 2026 Mar 15, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Quadbase ExpressDashboard (EDAB) 7 Update 9. It allows CSRF. An attacker may be able to trick an authenticated user into changing the email address associated with their account.
CVE-2020-24984 1Quadbase 1Espressreports Es Jun 17, 2026 Mar 11, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Quadbase EspressReports ES 7 Update 9. It allows CSRF, whereby an attacker may be able to trick an authenticated admin level user into uploading malicious files to the web server.
CVE-2020-24983 1Quadbase 1Espressreports Es Jun 17, 2026 Mar 11, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. Th...Show more An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will utilise the target admin session and perform the authenticated request (to change the Dashboard name) as if the victim had done so themselves, aka CSRF.Show less
CVE-2020-14989 1Bloomreach 1Experience Manager Jun 17, 2026 Mar 11, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows CSRF if the attacker uses GET where POST was intended.
CVE-2020-35223 1Netgear 2Gs116e Firmware Jgs516pe Firmware Jun 17, 2026 Mar 10, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The CSRF protection mechanism implemented in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices could be bypassed by omitting the CSRF token parameter in HTTP requests.
CVE-2020-28705 1Thedaylightstudio 1Fuel Cms Jun 17, 2026 Mar 10, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
CVE-2020-27574 1Maxum 1Rumpus Jun 17, 2026 Mar 8, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). If an authenticated user visits a malicious page, unintended actions could be performed in the web application as the authenticated user.
CVE-2020-29030 1Secomea 1Gatemanager Firmware Jun 17, 2026 Mar 5, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code. This issue affects: Secomea GateManager All versions prior to 9.4.
CVE-2021-26961 1Arubanetworks 1Airwave Jun 17, 2026 Mar 5, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface co...Show more A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user.Show less
CVE-2021-26960 1Arubanetworks 1Airwave Jun 17, 2026 Mar 5, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface co...Show more A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user.Show less
CVE-2021-27927 1Zabbix 1Zabbix Jun 17, 2026 Mar 3, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code in...Show more In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.Show less

Previous 1...318319320...468 Next